Is my JWT or secret uploaded or stored?

No. Everything stays in your browser and clears on refresh. Use test secrets only.

Do you support RS256/ES256?

This tool is HS256-only. Use server-side/JWKS-based validation for RSA/ECDSA tokens.

Do you check exp/iss/aud?

No. This checks signature integrity only. Validate claims in your application or CI.

Why is my token invalid?

Most often: wrong secret, wrong alg (RS vs HS), or malformed base64url segments. Confirm the header and secret match.

Can I run this offline?

Yes. Once loaded, it runs entirely client-side and continues to work offline.

Should I paste production tokens?

Avoid it. Even though this runs locally, use staging tokens and secrets to reduce risk.

security validator

JWT Signature Validator (HS256)

Validate HS256 JWT signatures with a shared secret, fully client-side—no tokens or secrets ever leave your browser.

Results

Processing…

Status: Processing...
Details: Processing...
Algorithm: Processing...
Payload: Processing...

How to use this validator

Paste the JWT (three base64url segments).
Paste the shared secret (use test keys only).
Run validate to compute the HMAC and compare against the token signature.
If invalid, confirm alg is HS256 and that the secret matches the signer; re-run after fixing.

Rules & checks

Supports HS256 (HMAC SHA-256) only; expects alg: HS256 in the header.

Requires a full JWT (header.payload.signature) and the matching shared secret.

Uses client-side HMAC to recompute the signature and compare against the JWT.

Runs fully client-side/offline—tokens and secrets stay in your browser.

Inputs explained

JWT
Paste the full token with three base64url parts separated by dots. Use non-production tokens whenever possible.
Shared secret
Use a non-production shared secret for local verification; it must exactly match the signer’s key (case-sensitive).

When to use it

Debug webhook tokens locally in QA/staging.
Verify JWTs generated by backend services during integration tests.
Confirm shared secrets in env files match what services expect.
Reproduce signature issues before filing tickets with third-party providers.

Common errors

Using the wrong secret (including trailing spaces or different casing).
Token signed with RS/ES alg instead of HS256.
Malformed JWT (not three base64url segments).
Base64url padding/character issues in custom JWT libraries.
Expired tokens still decode; signature can be valid while claims are out of date.

Limitations

HS256 only; does not verify RS256/ES256/PS256 tokens.
Does not validate claims (exp, nbf, iss, aud); focuses on signature integrity.
No remote key fetching or JWKS support; you must supply the shared secret directly.
Browser-based: keep payloads modest and avoid production secrets.

Tips

Never paste production secrets or live tokens—use test/staging values only.
Check the header alg; HS256 only. RS/ES tokens require public-key verification elsewhere.
If you see padding errors, ensure the JWT parts are base64url (no '+' or '/' and typically no '=' padding).
Rotate secrets regularly; invalidate tokens when a secret changes.
Redact sensitive claims if sharing results in logs or screenshots.

Examples

Valid HS256

Correct JWT + correct shared secret -> Signature valid

Invalid secret

JWT + wrong secret -> Invalid signature

Wrong alg

RS256 token with HS256 expected -> Unsupported (fails)

Malformed JWT

Missing a segment or bad base64url -> flagged as invalid

Deep dive

This HS256 JWT signature validator recomputes the HMAC in your browser to confirm token integrity without uploading secrets or tokens.

Use it for fast QA of webhook/auth flows, then run full RS/ES verification and claim checks in your server or CI pipeline when needed.

FAQs

Is my JWT or secret uploaded or stored?: No. Everything stays in your browser and clears on refresh. Use test secrets only.
Do you support RS256/ES256?: This tool is HS256-only. Use server-side/JWKS-based validation for RSA/ECDSA tokens.
Do you check exp/iss/aud?: No. This checks signature integrity only. Validate claims in your application or CI.
Why is my token invalid?: Most often: wrong secret, wrong alg (RS vs HS), or malformed base64url segments. Confirm the header and secret match.
Can I run this offline?: Yes. Once loaded, it runs entirely client-side and continues to work offline.
Should I paste production tokens?: Avoid it. Even though this runs locally, use staging tokens and secrets to reduce risk.

Related validators

developer

JWT Decoder

Decode JWT headers and payloads client-side—no uploads, no signature verification, and no storage.

security

Password Strength Checker

Score password strength with clear, local checks—length, variety, and guidance without sending data anywhere.

security

Password Entropy Calculator

Estimate password entropy (bits) in-browser to see how length and character sets impact strength.

web

HTTP Security Headers Validator

Validate core security headers (HSTS, nosniff, frame options, referrer policy, permissions policy) entirely client-side.

developer

Regex Tester

Test regex patterns against sample text with live matches and errors.

developer

UUID Validator

Check UUIDs (v1–v5) for proper formatting before using them in requests or logs.

JWTs and secrets stay in your browser. No data is sent, logged, or stored.

Signature integrity check for HS256 only; does not validate claims, expiry, or RS/ES algorithms.