JWS Signature Verification Online

By Anish Nath - Security Engineer & Cryptography Expert | @anish2good | Last Updated: January 2025
HMAC/RSA/ECDSA No Data Stored 100% Free
JWS Token Input
Paste your JWS/JWT token (header.payload.signature)
HMAC Shared Secret
For HS256, HS384, HS512 algorithms The same secret used for signing
RSA/ECDSA Public Key
For RS256/384/512, PS256/384/512, ES256/384/512 PEM format public key for verification
Verification Result

Verification result will appear here

Paste a JWS token and click "Verify JWS Signature"

Related JWS/JWT Tools

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

JWS Signature Verification Guide

JWS Signature Verification is the process of cryptographically validating that a JSON Web Signature token has not been tampered with and was signed by a trusted party.

How JWS Verification Works
HMAC Verification (Symmetric)
  1. Extract the algorithm from the header
  2. Compute HMAC over header.payload using the shared secret
  3. Compare computed signature with the token's signature
  4. If they match, signature is VALID
RSA/ECDSA Verification (Asymmetric)
  1. Extract the algorithm from the header
  2. Decode the signature from Base64URL
  3. Use the public key to verify the signature over header.payload
  4. If verification succeeds, signature is VALID
Common Verification Errors
Error Cause Solution
Signature Invalid Wrong key or modified token Verify you're using the correct key that matches the signing key
Algorithm Mismatch Using HMAC key with RSA algorithm or vice versa Check the alg header and use the appropriate key type
Key Format Error Invalid PEM format or encoding Ensure public keys include BEGIN/END markers and proper Base64 encoding
Invalid JWS Format Token doesn't have three parts JWS must be in format: header.payload.signature
Verification Security Best Practices
  • Always verify signatures - Never trust a JWS/JWT without cryptographic verification
  • Whitelist algorithms - Only accept expected algorithms, reject alg: none
  • Validate claims after verification - Check exp, nbf, iss, aud
  • Use constant-time comparison - Prevent timing attacks (handled by crypto libraries)
  • Protect your keys - Keep shared secrets and private keys secure
JWS Structure Reference
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFuaXNoIE5hdGgiLCJpYXQiOjE1MTYyMzkwMjJ9.9tFLrurxXWKBDh317ly24fP03We-uzSZtPf7Yqy_oSw

Header - Contains alg (algorithm) and optionally typ, kid

Payload - Contains claims (sub, name, iat, exp, etc.)

Signature - Cryptographic signature over header.payload

About This Tool

This JWS verification tool is developed by Anish Nath ( @anish2good), a Security Engineer specializing in cryptography and web security.

  • Privacy-First: Your tokens and keys are processed server-side and not stored
  • Standards Compliant: Implements RFC 7515 (JWS) verification
  • All Algorithms: Supports HMAC, RSA PKCS#1, RSA PSS, and ECDSA
Learn More
Quick Access