Free, browser-based utilities for everyday developer workflows

Verify a JWT Signature

Sign and verify JSON Web Tokens with HS256, RS256, and ES256. Test PKCE OAuth flows. Everything runs in your browser — no secrets are uploaded.

Try it now

Open JWT & OAuth Security Toolkit with a ready-to-run example.

Try it now
When you need this
  • You want to confirm that your auth service is signing tokens with the correct secret before deploying.
  • You need to verify a token you received against a known secret or public key.
  • You are debugging a 401 Unauthorized error and suspect a signature mismatch.
  • You need to generate a PKCE code_verifier and code_challenge for an OAuth authorization flow.
How to do it with Daily Developer Tools
  • Open the JWT & OAuth Security Toolkit and select the Sign/Verify tab.
  • Choose your algorithm (HS256 for shared secrets, RS256 for RSA key pairs).
  • For HS256: paste your shared secret, enter the payload JSON, and click Sign to generate a token — then paste it back and click Verify to confirm the round-trip.
  • For PKCE: switch to the PKCE tab, click Generate, and copy the code_verifier and code_challenge for your OAuth request.
Tips / common pitfalls
  • HS256 uses the same secret for signing and verifying — keep it confidential.
  • RS256 uses a private key to sign and the corresponding public key to verify. Paste the public key (PEM format) for verification only.
  • The PKCE code_challenge is S256 (SHA-256 hash of the verifier) by default, which is required by most modern providers.
  • Algorithm confusion attacks occur when a server accepts RS256 tokens verified with the public key treated as an HS256 secret. Always pin the expected algorithm.
Examples & test data

HS256 sign and verify round-trip

Open tool with this example
Payload JSON
{
  "sub": "user_456",
  "role": "editor",
  "iat": 1700000000,
  "exp": 1700086400
}
Secret (HS256)
my-super-secret-key-2024
Expected result
Signature valid ✓
Algorithm: HS256
FAQ
What algorithms are supported?

HS256, HS384, HS512 (HMAC shared secret), RS256 (RSA 2048+ public/private key pair), and ES256 (ECDSA P-256). All cryptography uses the browser's built-in Web Crypto API.

What is PKCE?

Proof Key for Code Exchange is an OAuth 2.0 extension (RFC 7636) that protects the authorization code flow for public clients. You generate a random code_verifier, hash it to produce the code_challenge, and include the challenge in the authorization request.

Is my secret uploaded?

No. All cryptographic operations run entirely in your browser using the Web Crypto API. Your secrets, private keys, and tokens are never transmitted to any server.

What is the difference between signing and verifying?

Signing creates a JWT with a cryptographic signature using your secret or private key. Verifying checks that an existing token's signature matches the expected secret or public key — confirming the token was not tampered with.

Related tools
JWT Decoder Certificate & PEM Tools Base64 Encoder & Decoder URL & Payload Encoding Suite

i Privacy-first: runs locally in your browser. No uploads.

How to verify a JWT signature

Select the algorithm (HS256, RS256, or ES256), paste the token and the corresponding secret or public key, then click Verify. The tool uses the browser's Web Crypto API to perform the cryptographic check and reports whether the signature is valid.

Common use cases

Security engineers use this to validate that tokens generated by their auth service round-trip correctly before shipping to production. Integration developers use it to confirm that tokens from a third-party identity provider carry a valid signature. QA teams use the PKCE generator to manually walk through OAuth authorization flows during testing.

Why run this in your browser?

All processing happens locally in your browser. Your data never leaves your machine, making it safe for sensitive payloads, internal API responses, and confidential configurations.