Skip to content

JWT Signature Verification

Detailed guide on using the JWT Decoder.

JWT Signature Verification

Signature verification ensures the JWT hasn't been tampered with.

How It Works

When a JWT is created, the issuer:

  1. Creates the header and payload
  2. Encodes them as Base64URL
  3. Creates a signature using the chosen algorithm
  4. Combines: header.payload.signature

Verification reverses this — the verifier ensures the signature matches the header and payload.

Symmetric vs Asymmetric

Symmetric (HMAC: HS256/HS384/HS512)

  • Same secret is used to sign AND verify
  • Both parties must share the secret
  • Simpler to implement

Asymmetric (RSA/ECDSA/EdDSA)

  • Private key signs the token
  • Public key verifies it
  • Public key can be shared freely

Common Verification Errors

Error Likely Cause
"invalid signature" Wrong secret/key or token was modified
"jwt expired" Token's exp timestamp is in the past
"jwt malformed" Token has incorrect structure

When to Verify

Always verify JWTs on the server side for any protected operation. Client-side verification (as in this tool) is for debugging and learning only.

Ready to decode?

Decode and inspect JWTs instantly in your browser.

Launch JWT Decoder

Related Tools

Try these complementary developer tools:

Popular Developer Tools

Most-used tools on LangStop