JWT Verifier
Paste a JSON Web Token and its HMAC secret to check whether the signature is valid. The tool recomputes the HS256, HS384 or HS512 signature, compares it to the token, checks the exp and nbf time claims, and shows the decoded header and payload. Everything runs in your browser.
How to verify a JWT
- Paste the JSON Web Token into the token box.
- Enter the shared HMAC secret used to sign it and pick a test secret, not a production one.
- Read the verdict: a valid or invalid signature badge plus the expiry and not-before status.
Examples
Standard HS256 token, correct secret
token "eyJhbGci...SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", secret "your-256-bit-secret"
Signature valid (HS256). Not expired.
Frequently asked questions
What is the difference between verifying and decoding a JWT?
Decoding only base64url-decodes the header and payload so you can read them, and it always succeeds. Verifying recomputes the signature with your secret and compares it to the token, which proves the token was issued by someone who holds that secret and was not tampered with. This tool does both, but only a passing signature check means the token can be trusted.
Which algorithms are supported?
The HMAC family: HS256, HS384 and HS512. These sign and verify with a single shared secret. Asymmetric algorithms such as RS256, ES256 and PS256 use a public key instead of a secret, so they are reported as unsupported here. The none algorithm is always treated as unverifiable.
Is my token or secret sent to a server?
No. The signature is recomputed locally in your browser with the Web Crypto API, so your token and secret never leave your machine. Even so, avoid pasting a real production secret into any online tool. Use a test secret whenever you can.
Why does the signature fail even though the token looks correct?
The most common cause is a secret that does not match the one used to sign the token, including a stray space, the wrong encoding, or a base64-encoded key entered as plain text. A mismatched algorithm or a token that was edited after signing will also fail. The header and payload still decode so you can compare the details.
What do the expired and not yet valid statuses mean?
They come from the exp and nbf claims, which are seconds since 1970. If exp is in the past the token is expired, and if nbf is in the future the token is not yet valid. A token is only fully valid when the signature checks out and it is within that time window.
Can a valid signature still be an invalid token?
Yes. A token can have a correct signature but be expired or not yet valid. This tool reports the signature result separately from the time checks, and the overall verdict is valid only when the signature passes and the token is inside its exp and nbf window.
Related tools
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
JWT Generator
Create a signed HS256 JSON Web Token from a JSON payload and secret. Signs in your browser, nothing is sent to a server. Great for testing.
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.