JWT Token Verifier
Decode and verify JWT token signatures. Supports HS256, RS256, ES256 and more.
- Home
- > Hash & Security >
- JWT Token Verifier
Header
Payload
Verify Signature
How JWT Verification Works
A JWT token has three base64url-encoded parts: Header, Payload, and Signature. The signature is computed by signing the header + payload with a key.
To verify:
- Paste the JWT token — the header and payload are decoded automatically.
- For HS256/384/512, enter the shared secret key.
- For RS256/384/512 or ES256/384/512, enter the public key in PEM format.
- Click "Verify Signature" to confirm the token's integrity.
Frequently Asked Questions
Is verification done in my browser?
Yes. All JWT decoding and signature verification is performed entirely in your browser using the Web Crypto API. Your keys never leave your device.
What does a valid signature mean?
A valid signature confirms that the token was signed with the corresponding private/secret key and that the header and payload have not been tampered with since signing.
What key do I need for verification?
For HMAC algorithms (HS256/384/512), you need the same shared secret used to sign. For RSA (RS256/384/512) and ECDSA (ES256/384/512), you need the public key in PEM format.
Can I verify tokens without a key?
You can decode the header and payload without a key (select the "algorithm none" tokens are flagged). But signature verification always requires the appropriate key.
