How to Verify a JWT Signature
Step-by-step guide to verifying JWT signatures using HMAC secrets or RSA/EC public keys — and understanding what the claims tell you.
Tool Used
JWT Signature Verifier
Paste your JWT token
Open the JWT Signature Verifier tool. Paste your JWT into the token field. A JWT is three base64url-encoded segments separated by dots: header.payload.signature. The tool automatically decodes and displays the header and payload without needing the key — but verification requires the correct key.
Read the header to find the algorithm
Look at the decoded header panel. The alg field tells you which signing algorithm was used: HS256/HS384/HS512 for HMAC (symmetric), RS256/RS384/RS512 for RSA (asymmetric), or ES256/ES384/ES512 for ECDSA (asymmetric). This determines what kind of key you need for verification. The kid field, if present, identifies which key to use from a JWKS endpoint.
Enter your key and verify
For HMAC tokens: select the matching HS algorithm and enter your shared secret in the secret field. For RSA or ECDSA tokens: select the RS or ES algorithm and paste the public key in PEM format (begins with -----BEGIN PUBLIC KEY-----). Click Verify. The tool reports whether the signature is valid or invalid.
Check the standard claims
Even with a valid signature, check the registered claims in the payload. exp is the expiration timestamp — reject tokens where exp is in the past. nbf is not-before — reject tokens where nbf is in the future. iss is the issuer — verify it matches the expected identity provider. aud is the audience — verify it matches your service identifier. The tool highlights expired or not-yet-valid tokens.
Decode and inspect the payload claims
The decoded payload panel shows all claims as formatted JSON. Custom claims vary by identity provider — look for sub (the user identifier), email, roles, or permissions claims that your application uses for authorization. Never trust payload claims without first verifying the signature and checking expiration.
All done!
You are ready to use JWT Signature Verifier like a pro.