How do I verify a JWT HS256 signature?

Paste your JWT, open Advanced Options and enter the HMAC secret. The tool uses SubtleCrypto to recompute the HMAC-SHA256 and compare it with the token's signature.

How do I verify a JWT RS256 signature?

Paste your JWT and enter the RSA public key in PEM (SPKI) format. The tool imports the key via SubtleCrypto and verifies the RSA-PKCS#1-v1_5 SHA-256 signature.

What is the difference between HS256 and RS256?

HS256 uses a shared symmetric secret (same key to sign and verify). RS256 uses an asymmetric key pair: the private key signs, the public key verifies — better suited for distributed architectures.

Why does JWT signature verification fail?

Common causes: wrong secret, tampered token, algorithm mismatch, or incorrect key format. Note: an expired token still has a valid signature — expiration is a separate check.

Flowfiles ← JWT Decoder

Verify JWT Signature Online

JWT Signature Validator — HS256 · HS384 · HS512 · RS256 · RS384 · RS512 · ES256 · PS256 — 100% local

Paste your JWT and enter the HMAC secret or RSA/EC public key PEM to verify the signature. The tool uses the browser's SubtleCrypto API for cryptographic verification without sending any data.

Verify your JWT signature instantly

Open the JWT Verifier →

How to verify a JWT signature

Verifying a JWT signature confirms two things: the token was issued by the expected party, and it has not been tampered with.

HS256/384/512: enter the shared secret. The tool recomputes HMAC and compares.
RS256/384/512: enter the PEM public key (SPKI). The tool verifies RSA-PKCS#1-v1_5.
PS256/384/512: enter the PEM public key. The tool verifies RSA-PSS.
ES256/384/512: enter the EC PEM public key. The tool verifies ECDSA.

Frequently asked questions

How do I verify an HS256 JWT signature?

Paste your JWT, click Advanced options and enter the HMAC secret. The tool recomputes HMAC-SHA256 over the encoded header and payload, and compares it with the token's signature byte-by-byte.

How do I verify an RS256 JWT signature?

Enter the RSA public key in PEM format (-----BEGIN PUBLIC KEY-----, SPKI). The SubtleCrypto API imports the key and verifies the RSA-PKCS#1-v1_5 SHA-256 signature. No private key is needed to verify.

Does valid signature mean the token is valid?

Signature validity confirms authenticity (not tampered, known source) but not temporal validity. A token can have a valid signature but still be expired (exp in the past) or not yet active (nbf in the future).

Is my HMAC secret exposed?

No. The secret is only used for HMAC computation inside SubtleCrypto — it never leaves the browser. For RS256, only the public key is required, not the private key.

Related tools

Full JWT Decoder Decode a JWT JWT Expiration JWT OAuth 2.0 Base64 Encoder UUID Generator