JWT Signature Verifier
Verify JWT HMAC signatures (HS256, HS384, HS512) using the Web Crypto API. Decode header and payload, check expiry, and confirm token integrity — all client-side.
What Is JWT Signature Verification?
A JSON Web Token (JWT) consists of a header, payload, and signature separated by dots. The signature is computed by the server using a secret key and is used to verify that the token has not been tampered with. This tool recomputes the HMAC signature from the header and payload using your secret, then compares it against the token's signature — all client-side using the Web Crypto API.
How to Use
- Paste your JWT token into the token field.
- Enter the HMAC secret used to sign the token.
- Click Verify Signature — the result shows whether the signature is valid.
- Header and payload are decoded and displayed automatically.
Features
- Supports HS256, HS384, and HS512 HMAC algorithms.
- Decodes and displays header and payload without any server call.
- Shows expiry status (exp), issued-at time (iat), and subject (sub).
- All verification uses the browser's native Web Crypto API — your secret never leaves the page.
FAQ
Does this support RS256 or ES256?
Not currently. Asymmetric algorithms (RS256, RS384, RS512, ES256, etc.) require a public key in PEM format. This tool supports HMAC (symmetric) algorithms only: HS256, HS384, and HS512.
Is my secret safe?
Yes — the secret is never sent to any server. All cryptographic operations happen locally in your browser using the Web Crypto API. Nothing leaves your machine.
What does "invalid signature" mean?
It means the signature in the token does not match what would be produced by signing the header and payload with your provided secret. Either the secret is wrong, or the token has been tampered with.