JWT Signature Verification
Detailed guide on using the JWT Decoder.
JWT Signature Verification
Signature verification ensures the JWT hasn't been tampered with.
How It Works
When a JWT is created, the issuer:
- Creates the header and payload
- Encodes them as Base64URL
- Creates a signature using the chosen algorithm
- Combines:
header.payload.signature
Verification reverses this — the verifier ensures the signature matches the header and payload.
Symmetric vs Asymmetric
Symmetric (HMAC: HS256/HS384/HS512)
- Same secret is used to sign AND verify
- Both parties must share the secret
- Simpler to implement
Asymmetric (RSA/ECDSA/EdDSA)
- Private key signs the token
- Public key verifies it
- Public key can be shared freely
Common Verification Errors
| Error | Likely Cause |
|---|---|
| "invalid signature" | Wrong secret/key or token was modified |
| "jwt expired" | Token's exp timestamp is in the past |
| "jwt malformed" | Token has incorrect structure |
When to Verify
Always verify JWTs on the server side for any protected operation. Client-side verification (as in this tool) is for debugging and learning only.