Zero Signup ToolsFree browser tools

Developer Tools

JWT Verifier

Verify a JWT signature in your browser. Supports HS256, HS384, HS512, RS256 to RS512, PS256 to PS512, ES256, ES384, plus exp, nbf, iss, aud checks.

JWT signature verifier

197 chars

The token, the secret, and the public key never leave your browser. Verification runs locally using the Web Crypto API.

Algorithm

Auto reads alg from the token header. Override if you suspect an algorithm confusion attack.

Verifying with HS256.

Pick UTF-8 if the issuer published the secret as plain text, or Base64 if the secret was encoded.

Optional claim checks

Leave issuer or audience blank to skip the check. Leeway loosens the exp / nbf / iat checks to tolerate clock skew between the issuer and the verifier.

Ready to verify.

Click Verify signature to check the token.

Token summary

Algorithm

HS256

Type

JWT

Key ID (kid)

(not set)

Signature length

32 bytes

Claim checks

exp (expiration)

Expires at 2096-10-02T07:06:40.000Z (in 70 years).

iat (issued at)

Issued at 2023-11-14T22:13:20.000Z (3 years ago).

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "iat": 1700000000,
  "exp": 4000000000,
  "role": "admin"
}

What this tool verifies

  • The signature on the token was produced by the same secret or private key that pairs with the secret or public key you provide.
  • The token has not expired (exp) and is currently active (nbf), honoring the leeway you set.
  • Optionally, the issuer (iss) and audience (aud) claims match the values you expect.
  • The header advertises an algorithm that matches the one you selected. Mismatches surface a warning so algorithm confusion attacks are easier to catch.

Supported algorithms

HS256HS384HS512RS256RS384RS512PS256PS384PS512ES256ES384

HS family uses HMAC with a shared secret. RS and PS families use RSA public keys (PKCS1-v1_5 and PSS respectively). ES uses ECDSA on NIST P-256 (ES256) or P-384 (ES384). Tokens with alg: none are always reported as invalid.

How to use

  1. Paste the JWT into the token area. The tool decodes the header and payload immediately so you can spot structural problems before verifying.
  2. Pick the algorithm. Auto reads it from the token header; override it if you want to defend against an algorithm confusion attack.
  3. For HS algorithms, paste the shared secret and choose UTF-8 or base64 to match how the issuer published it.
  4. For RS, PS, or ES algorithms, paste the issuer's public key as PEM (SPKI) or as a JWK object.
  5. Optionally enter the expected issuer, expected audience, and a leeway in seconds for clock skew, then click Verify signature.
  6. Read the result panel for the signature outcome and the claim checks panel for exp, nbf, iat, iss, and aud status.

About this tool

JWT Verifier checks whether a JSON Web Token's signature is valid using the Web Crypto API built into your browser. Supported algorithms cover the full set used in practice: HS256, HS384, and HS512 (HMAC with a shared secret); RS256, RS384, and RS512 (RSASSA-PKCS1-v1_5 with an RSA public key); PS256, PS384, and PS512 (RSASSA-PSS with MGF1 and salt length equal to the hash size, per RFC 7518); and ES256 and ES384 (ECDSA on NIST P-256 and P-384). HMAC secrets can be entered as plain UTF-8 text or as base64. Public keys are accepted as PEM with BEGIN PUBLIC KEY (SPKI) markers, or as a JSON Web Key object pasted directly. ECDSA signatures are accepted in both the raw R-then-S concatenated format defined by RFC 7515 and the ASN.1 DER format that some libraries emit, with automatic conversion. Beyond the cryptographic check, the tool surfaces every claim the verifier should normally enforce: exp (expiration), nbf (not before), and iat (issued at) are checked against the current clock with a configurable leeway in seconds; iss (issuer) and aud (audience) can be matched against expected values you provide. The header summary highlights mismatches between the declared algorithm and the one you chose, so algorithm confusion attacks (the alg: none and the HS-versus-RS swap classes) are easy to catch. Tokens with alg: none are always reported as invalid with a clear explanation. The token, the secret, and the public key never leave your browser; every step runs locally on your device.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

JWT Decoder

Decode header, payload, and claims of a JWT with expiry checks.

Open tool

Developer

JWT Generator

Sign HS256, HS384, and HS512 JWTs with editable claims and expiry helpers.

Open tool

Security

HMAC Generator

Generate and verify HMAC-SHA1, SHA-256, SHA-384, and SHA-512 signatures.

Open tool

Security

SHA-256 Hash Generator

Hash text or files with SHA-1, SHA-256, SHA-384, and SHA-512.

Open tool

Developer

Base64 Encoder Decoder

Encode and decode Base64 with full Unicode.

Open tool

Date & Time

Unix Timestamp Converter

Convert epoch timestamps to dates and back.

Open tool

All toolsDeveloper Tools