About The JWT Verifier (HS/RS/ES + JWKS)

JWT Verifier checks JSON Web Token signatures for HS, RS, and ES algorithms using a shared secret, PEM public key or certificate, or JWKS data. It decodes the token and reports whether the signature validates.

Verification runs locally in your browser. The optional JWKS URL fetch makes a browser network request to the URL you provide, so use that only when you intend to contact that host.

How to Verify JWTs Online

1. Paste the complete JWT into the token field.
2. Choose the key source or leave Auto selected and fill the relevant key field.
3. Click Verify JWT and review the signature status, header, payload, and time-claim notes.

Choosing Options Correctly

Use a shared secret for HS algorithms, PEM for RS or ES public keys, and JWKS when you have a key set from an identity provider. A mismatched algorithm family or stale key will fail verification.

Common Use Cases

• Debugging API authentication failures.
• Checking identity-provider tokens during integration.
• Confirming key rotation or kid selection behavior.

Quick FAQ

Can I trust claims before verification?
No. Read claims only as untrusted text until the signature and expected issuer, audience, and timing are verified.

Why did verification fail?
Common causes include wrong key, wrong algorithm, bad Base64URL, changed token bytes, expired claims, or mismatched issuer/audience expectations.

When should I use JWKS URL fetch?
Use JWKS when verifying tokens from an issuer that publishes public keys by key ID. Confirm the JWKS URL belongs to the issuer you expect.

Should I paste live tokens or keys?
Avoid pasting production bearer tokens or private keys. Use test tokens or public verification keys where possible.