JWT Signature Verifier (RS256/ES256, Public Key Verification)

A developer tool that verifies JWTs (JSON Web Tokens) signed with RS256 or ES256 using an SPKI-format public key (PEM), right in your browser. It also decodes the header/payload and checks the expiry claim. Nothing you enter is sent to a server; everything runs client-side.

Supported signature algorithms

Algorithm Key type Hash function Description
RS256 RSA (RSASSA-PKCS1-v1_5) SHA-256 Signature using RSA public-key cryptography. The default algorithm for ID tokens issued by major OAuth 2.0/OpenID Connect providers such as Google, Auth0, and Okta.
ES256 ECDSA (P-256 curve) SHA-256 Signature using elliptic-curve cryptography, offering equivalent security to RSA with shorter keys and signatures — increasingly popular for mobile apps and IoT devices.

Tips

  • The public key must be in PEM format (SPKI, starting with "-----BEGIN PUBLIC KEY-----"). Pasting a private key file or a certificate (.crt) directly will not work.
  • The verification algorithm is chosen automatically based on the alg field in the JWT header (RS256 or ES256) — no manual selection needed.
  • The tool also checks the payload's exp claim alongside signature verification and warns if the token has expired. A valid signature does not mean the token should still be accepted.
  • This tool only supports RS256 and ES256. To check an HS256-signed JWT, use the companion JWT Encoder to re-sign with the same shared secret and compare the result.
  • The public key you use for verification is not secret, so it is fine to paste one obtained from an identity provider's public endpoint (such as a JWKS).

Frequently Asked Questions

No, only RS256 and ES256 are supported. HS256, HS384, and HS512 rely on a shared secret rather than a public key, so they cannot be verified by a tool that only accepts a public key. To check an HS256 signature, use the companion JWT Encoder to re-sign with the same secret and compare the output.

Identity providers (Google, Auth0, Okta, etc.) publish their public keys through a public endpoint called a JWKS (JSON Web Key Set). Use a JWKS-to-PEM conversion tool, or refer to the public key documented by the specific service you are integrating with.

The most common causes are: (1) the public key you entered does not correspond to the private key that signed the JWT, (2) the header, payload, or signature was altered or corrupted in transit, or (3) characters were dropped while copying. Try copying both the JWT string and the public key again, straight from the original source.

Currently only RS256 and ES256 are supported. Variants using longer hash functions, such as RS384/RS512 and ES384/ES512, are candidates for future support.

Yes — signature validity and exp expiration are checked and displayed independently. A token with a valid signature but an expired exp claim should generally still be rejected by real systems, so be sure to check the expiry warning shown on screen as well.
ツールくん

Side Note — HMAC vs. public-key signatures: what is the difference?

JWT signature schemes fall into two broad families: shared-secret (HMAC, e.g. HS256) and public-key (RSA/ECDSA, e.g. RS256 and ES256). With a shared secret, both the signer and the verifier must hold the same secret string; with public-key cryptography, only the signer holds a private key, while anyone can verify using the publicly available key. This distinction shapes how APIs are designed. The companion JWT Encoder (HS256) suits cases where the same server both issues and verifies tokens, while RS256/ES256 — the focus of this tool — suit cases where the issuer and the verifier belong to different organizations or servers entirely.

In practice, ID tokens issued by major identity providers such as Google OAuth 2.0, OpenID Connect, Auth0, and Okta are almost always signed with RS256 (with ES256 often available as an alternative). This lets the identity provider hold the only private key while any number of client applications verify tokens using just the public key — eliminating the need to distribute a secret to every client and confining the risk of key leakage to a single point at the signer.

RS256 and ES256 both hash with SHA-256, but differ in the underlying cryptography. RS256 uses RSA (typically 2048-bit or longer keys), which tends to produce larger signatures but benefits from mature, widely supported libraries. ES256 uses elliptic-curve cryptography (P-256), achieving comparable security with much shorter keys and signatures — a growing favorite for mobile environments and APIs where payload size matters.

→ Browse all trivia