JWT Verify Online — RS256, ES256, HS256 vs Pasted JWKS

Verify a compact JWT signature against pasted JWKS or JWK in your browser. Optional audience, issuer, clock skew, and HS256 secret. Paste-only — no remote JWKS fetch. Signature verify ≠ authorization.

Loading…
JWT verify — browser-local
Verify signature and standard time claims against pasted JWKS. Never fetches remote keys.

Developer notes

• Paste compact JWT + JWKS JSON (not a URL). • v1 algorithms: RS256, ES256, HS256. • verify ≠ trust or authorization. • Copy result never includes raw private JWKS material. • 512 KB per field.

Options

Clock skew
Tolerance in seconds for exp/nbf (0, 60, or 300).
Ignore expiration
Still verify signature; ignore exp claim failures.
Audience
When set, aud must match (string or array membership).
Issuer
When set, iss must match exactly.

When teams pick this route

• Debug API auth with a JWKS from provider docs. • Check exp/aud/iss after jwt-decode. • Validate HS256 test tokens with jwt-encode fixtures.

Worked examples

RS256 JWT + matching JWKS

JWT

eyJhbGciOiJSUzI1NiIsImtpZCI6ImRvYy1yc2EifQ.eyJzdWIiOiJkZW1vLXVzZXIiLCJhdWQiOiJhcGkiLCJleHAiOjE4MTU3NzIxMDJ9.llca6yHME4h-6XH_GR9sFN6qIGiwyAfy9rUA2ezs9rRmdLEfCMAYSb5YvHo9hMd5PBsb7heUff-iXctMJFbRIWzKZhOcjwOuLc2Jkd9kxhwQoXdICS2liioMc4aNWyUj8-j-9YbsC7pu122EzZrFzpEED3kT4CVPT7WuVLTm9-EHoLSL-M1DhtwvTcX4C-w7mhI_SGkkQfd_J923-BlM0bltDqWZLAeia9dciRigloK615-s9P7mMjcYWIEtkV0h62LW_1t150tvPCTNlo4vBEBUhat8K47Oqt6qsecktPfPHzdigvT8DmBxCzIvb8jTuDtoEWssCt1dfuL67DWy6g

Result

{ "valid": true, "algorithm": "RS256" }

documentation.securityTools.jwtVerify.examples.two.title

JWT

documentation.securityTools.jwtVerify.examples.two.before

Result

documentation.securityTools.jwtVerify.examples.two.after

Related tools

Decode without verify: jwt-decode. Sign HS256: jwt-encode. Inspect keys: inspect-jwks.

JWT verify FAQ

Paste-only verify

Can I paste a JWKS URL?

No. Paste the JSON body of the JWKS — nothing is fetched from the network.

Does verify mean the user is trusted?

No. This checks signature and optional claims only — not authorization or identity provider trust.

When should I use jwt-decode?

Use jwt-decode to read header/payload without verifying. Use this tool when you have the signing keys.

Which algorithms are supported?

v1: RS256, ES256, HS256. Others return unsupported_algorithm.

Security & tokens

JWKS, X.509 certificates, and secrets scan — browser-local.

Explore other tool categories

Minify

Shrink code and assets for production — minify JavaScript, CSS, HTML, JSON and XML before gzip or CDN deploy.

Beautify

Make code readable with consistent indentation — beautify JavaScript, CSS, TypeScript, SCSS, LESS, Markdown, GraphQL, SQL, YAML and more in your browser.

Unminify

Expand minified or compressed code — unminify JavaScript, CSS, TypeScript, SCSS, LESS, SQL, YAML and other formats when debugging or reviewing.

Conversion

Transform data between JSON, YAML, XML and CSV locally — no server uploads.

JSON Tools

Validate, format, diff and explore JSON payloads — complementary to minifiers and converters.

SVG Tools

Preview, optimize with SVGO, export Data URI, resize, beautify, convert to JSX and validate SVG — all in your browser.

DevOps & Infra

Terraform HCL format/validate/minify, Dockerfile format & lint, Docker Compose and .env validation.

CI/CD

GitHub Actions and GitLab CI — format YAML and check workflow/job structure in your browser.

Logs & observability

Line-oriented JSON/NDJSON and Nginx/Apache access logs — format, filter, validate, and CSV/TSV.

Kubernetes

Multi-doc manifests, structural validate, Ingress/Deployment starters, and Helm values formatting.

Networking / IP

CIDR, subnets, and IPv4/IPv6 helpers — in your browser.

API & schemas

OpenAPI tools to format, validate, and lint your specs.

Encoding

Encode or decode Base64, URL components and HTML entities — client-side only.

Developer utilities

Timestamps, UUID, ULID, Nanoid, cron, passwords, regex, slugify, number bases, case, text diff, and chmod — all client-side.

Serialization

Serialize and deserialize PHP data structures beside JSON workflows.