GetDevUtils - Professional Developer Utilities

The ultimate suite of AI-powered developer tools for modern engineering. Secure, local-first utilities for JSON formatting, JWT debugging, SQL beautification, and more.

Featured Developer Tools

Why Choose GetDevUtils?

← Back to GetDevUtils

JWT Verifier

Verify JWT signatures with HS256, RS256, and ES256 algorithms. Decode headers, validate claims, check token expiry, and test JWT authentication locally.

Use JWT Verifier Now →

What is JWT Verifier?

JWT Verifier validates the signatures of JSON Web Tokens (JWTs) to ensure they haven't been tampered with. Unlike the JWT Debugger which only decodes tokens, JWT Verifier performs cryptographic verification using your secret (for HS256) or public key (for RS256/ES256). This is essential for debugging authentication flows and validating token integrity.

Why Use This Tool?

When debugging authentication issues, you need to verify if tokens are correctly signed. Common scenarios include: testing newly issued tokens, debugging "invalid signature" errors, validating tokens from third-party providers, and ensuring key configuration is correct. JWT Verifier performs this verification entirely in your browser - your secrets and tokens never leave your device.

How to Use JWT Verifier

  1. Paste the complete JWT token
  2. Select the algorithm used (HS256, RS256, ES256, etc.)
  3. Enter the secret (for HMAC) or public key (for RSA/ECDSA)
  4. Click "Verify" to check the signature
  5. View decoded header and payload alongside verification result
  6. Check expiration and other claims automatically

Features

  • HMAC algorithms: HS256, HS384, HS512
  • RSA algorithms: RS256, RS384, RS512, PS256, PS384, PS512
  • ECDSA algorithms: ES256, ES384, ES512
  • Complete signature verification using Web Crypto API
  • Automatic expiration checking (exp claim)
  • Not-before validation (nbf claim)
  • Issuer and audience claim inspection
  • PEM key format support

Common Use Cases

  • Authentication Debugging: Verify tokens are correctly signed
  • Key Rotation: Confirm new keys sign tokens correctly
  • Third-Party Integration: Validate tokens from OAuth providers
  • Security Audits: Verify token signing configuration
  • Development Testing: Test token generation before deployment

Tips & Best Practices

  • For RS256, you only need the public key to verify - never share private keys
  • HS256 secrets should be at least 256 bits (32 characters) for security
  • Check kid (Key ID) header claim when using JWKS with multiple keys
  • Expired tokens (exp claim) will show as invalid signature

How It Compares to Alternatives

jwt.io allows signature verification but sends tokens to Auth0's servers. JWT Verifier performs all cryptographic operations locally using the Web Crypto API. Unlike library-based verification, it provides a visual interface for debugging.

Frequently Asked Questions

How do I verify a JWT signature?

Paste your JWT token and enter the secret (for HS256) or public key (for RS256/ES256). Click Verify to check if the signature is valid and hasn't been tampered with.

What algorithms are supported?

We support HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256, PS384, PS512 (RSA-PSS).

Is my secret key safe?

Absolutely! All verification happens locally in your browser. Your secret keys and tokens are never sent to any server. Check your network tab to verify.

Ready to Get Started?

Use JWT Verifier for free - no registration required.

Launch JWT Verifier

Related Tools