JWT Signature Verifier

While the JWT 解码r reveals what in格式化ion a token contains, the signature verifier proves the token is legitimate. A JWT's signature is 创建d by hashing the header and payload with a secret key—only the server that 创建d the token can produce a valid signature. This tool verifies HMAC-based JWT signatures (HS256, HS384, HS512), making it essential for debugging authentication issues and validating tokens locally.

Signature verification process

When you receive a JWT, the signature proves two things: (1) the token was 创建d by someone with the secret key, and (2) the header and payload haven't been modified since creation. To verify, you take the header and payload, apply the same HMAC algorithm with the secret key, and compare the result to the signature. If they match, the token is valid and trustworthy.

HMAC vs. asymmetric signing

HMAC signatures (HS256, HS384, HS512) use a shared secret—both the server that 创建s the token and the client that verifies it know the same secret. This works well when both parties are under your control (like a backend service and a separate API service). For public APIs where you cannot share a secret with users, asymmetric signing (RS256, ES256) is better—the server signs with a private key and the client verifies with a public key.

Debugging failed authentication

If a client claims their token is valid but your server rejects it, this tool helps diagnose the issue. Paste the token and the secret your server uses, then verify the signature. If it fails, the token might have been tampered with, or the client is using the wrong secret. If it passes, the issue lies elsewhere (perhaps in claim validation or token expiration).

Development and testing

This tool is invaluable for testing authentication flows without running your full backend. 生成 a JWT, paste it here with your secret to verify it was signed correctly, or manually modify the payload and confirm the signature fails—proving your signature verification actually works.