Logo

MonoCalc

/

JWT Signature Verifier

Programming

About This Tool

🔐 JWT Signature Verifier – Decode & Verify JSON Web Tokens

The JWT Signature Verifier is a free, client-side tool that lets developers and security engineers decode, inspect, and cryptographically verify JSON Web Tokens (JWTs)directly in the browser. Whether you are debugging an authentication failure, auditing a token's claims, or testing your OAuth 2.0 / OIDC integration, this tool gives you instant, private visibility into any JWT — without sending a single byte to an external server.

What Is a JWT?

A JSON Web Token (RFC 7519) is a compact, URL-safe representation of claims transferred between two parties. It consists of three Base64URL-encoded segments joined by dots:

header.payload.signature
  • Header — Declares the token type (JWT) and the signing algorithm (e.g., HS256, RS256).
  • Payload — Contains the claims: registered fields like exp, iat, iss, plus any custom application data.
  • Signature— A cryptographic tag over the header and payload, created with the issuer's secret or private key. This is what this tool verifies.

How Signature Verification Works

The tool recomputes the expected signature by applying the declared algorithm to the signing input (base64url(header) + "." + base64url(payload)) using the secret or public key you provide, then compares it byte-for-byte to the signature in the token. All operations run in the browser via the Web Crypto API — a standard, high-performance cryptographic interface built into every modern browser.

Supported Algorithms

The verifier supports the full suite of standard JWT signing algorithms:

  • HMAC: HS256, HS384, HS512 — uses a shared secret string.
  • RSA (PKCS#1 v1.5): RS256, RS384, RS512 — uses an RSA public key in SPKI/PEM format.
  • RSA-PSS: PS256, PS384, PS512 — uses probabilistic RSA signing, preferred for newer applications.
  • ECDSA: ES256 (P-256), ES384 (P-384), ES512 (P-521) — faster than RSA at equivalent security levels.

The algorithm is auto-detected from the JWT header's alg field when you paste a token.

Claims Validation

Beyond signature integrity, the tool validates the standard registered claims defined in RFC 7519:

  • exp — Expiration time. The token is rejected if the current UTC time exceeds this value (adjustable with a clock-skew tolerance).
  • nbf — Not-before time. The token is not valid before this timestamp.
  • iat — Issued-at time. Displayed as a human-readable date for auditing.
  • iss, aud, sub — Issuer, audience, and subject are checked against expected values you optionally supply.

Decode-Only Mode

Use Decode Only when you simply need to inspect the header and payload without providing a secret or key. This is useful for quickly reading claims during development, examining token expiry, or understanding what data an upstream service embeds in its tokens.

Security Considerations

While this tool is safe for development and debugging, keep these points in mind:

  • Avoid pasting production secrets on shared or public devices — even though no data leaves your browser.
  • Never trust tokens signed with alg: none. The tool displays a prominent security warning for such tokens.
  • Short HMAC secrets (fewer than 32 characters) are significantly weaker than longer random keys. The tool flags obviously weak secrets.
  • Signature validity alone does not mean a token is trustworthy — always validate exp, iss, and aud in production code.

Common Use Cases

  • Debugging authentication failures in OAuth 2.0 and OIDC flows.
  • Inspecting tokens issued by identity providers such as Auth0, Cognito, or Keycloak.
  • Verifying that a JWT generated by your backend is correctly signed.
  • Auditing third-party API tokens for expiry and claim correctness.
  • Learning JWT internals — the three-segment structure, Base64URL encoding, and signature computation.

Frequently Asked Questions

Is the JWT Signature Verifier free?

Yes, JWT Signature Verifier is totally free :)

Can I use the JWT Signature Verifier offline?

Yes, you can install the webapp as PWA.

Is it safe to use JWT Signature Verifier?

Yes, any data related to JWT Signature Verifier only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does the JWT Signature Verifier work?

The tool splits your JWT into its three Base64URL-encoded segments (header, payload, signature), decodes them, and then uses the browser's built-in Web Crypto API to cryptographically verify the signature against the secret or public key you provide. All processing happens entirely in your browser — no data is sent to any server.

Which signing algorithms are supported?

The verifier supports HMAC algorithms (HS256, HS384, HS512), RSA algorithms (RS256, RS384, RS512, PS256, PS384, PS512), and ECDSA algorithms (ES256, ES384, ES512). The algorithm is auto-detected from the JWT header's `alg` field.

What format should I use for RSA or EC public keys?

Paste the public key in PEM format, including the `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` delimiters. PKCS#8 format is required for RSA and EC public keys.

What JWT claims are validated?

Beyond signature verification, the tool validates the `exp` (expiration), `nbf` (not before), and `iat` (issued at) time claims against the current UTC time. You can also optionally validate `iss` (issuer), `aud` (audience), and `sub` (subject) against values you provide.

Is my JWT or secret safe to paste here?

Yes. All verification is performed locally in your browser using the Web Crypto API. Your JWT, secret, or public key is never transmitted to any external server. That said, avoid using production secrets on shared or public devices.

What is the difference between Decode Only and Verify modes?

Decode Only mode parses and displays the header and payload without validating the signature — useful for quickly inspecting claims. Verify mode cryptographically checks the signature using the secret or public key you supply, confirming the token was not tampered with.