Instantly verify and debug your JSON Web Tokens (JWT). Check symmetric (HS256) versus asymmetric (RS256/ES256) signatures securely in your browser. Free and private.
AI Generation Prompt
Technical Specification: JWT Symmetric vs Asymmetric Signature Checker
Overview
A high-performance, single-file browser utility for developers to parse, decode, and verify JSON Web Token (JWT) signatures. The tool provides clear visual feedback on the validity of tokens, differentiating between symmetric (shared secret) and asymmetric (public key) verification flows.
Core Features
- Live Decoding: Automatically parses the Base64Url encoded header and payload as the user types.
- Algorithm Selection: Support for HS256/384/512 (Symmetric) and RS/ES256/384/512 (Asymmetric).
- Signature Verification Engine: A robust validation module that re-signs the token header/payload using user input to perform a match against the original signature.
- PEM/Secret Key Input: Dynamic input fields that switch between a simple text area for secrets and a multi-line box for PEM-formatted public keys.
- Validation States: Clear visual cues using color coding (Success: Emerald/Green, Error: Rose/Red, Warning: Amber/Yellow).
UI/UX Design
- Layout:
- Header: Clean, minimalist title and brief instructional text.
- Input Area: Two-column grid (desktop) or stacked (mobile). Left: JWT string. Right: Key configuration and algorithm selector.
- Results Section: Real-time display of Decoded Header and Decoded Payload. Separate validation status card.
- Aesthetic:
- Palette: Crisp whites, soft slate grays for text, vibrant primary action colors (Indigo/Blue), and semantic status colors (Emerald, Rose).
- Typography: Sans-serif system stack (Inter/system-ui) for maximum readability.
- Interactions: Subtle CSS transitions on hover and focus states. Real-time update feedback (no 'submit' button required).
Technical Constraints & Requirements
- Architecture: Single HTML file containing CSS and Vanilla JavaScript.
- Performance: Zero external dependencies other than essential CDN-hosted libraries (e.g., Tailwind CSS for styling, Crypto-JS for cryptographic operations).
- No Persistence: Use in-memory state variables only. ABSOLUTELY NO
localStorage,sessionStorage,IndexedDB, or cookies. - Iframe Compatibility: The app must be compatible with a sandboxed iframe. No
alert(),confirm(), orprompt()calls; use custom modal components if user interaction is required. - Responsive: Fluid layout using Flexbox and CSS Grid to ensure functionality on all screen widths.
- Security: Ensure all cryptographic operations are performed strictly client-side to prevent leakage of tokens or private/secret keys.
Spread the word
Files being used
Frequently Asked Questions
Everything you need to know about using this application.
How do I verify a JWT signature using this tool?
To verify a JSON Web Token, paste your encoded JWT string into the primary input area. Select the appropriate algorithm used for signing (e.g., HS256 for symmetric, RS256 for asymmetric) and provide the corresponding secret key or public key. The tool will automatically compute the signature based on your input and compare it against the signature embedded in the token to confirm validity. Verification ensures that the token was generated by a trusted source and has not been tampered with during transmission. This process involves splitting the JWT into its header, payload, and signature components, re-encoding the header and payload, and signing them with the provided key to see if the resulting hash matches the original signature string.
What is the difference between symmetric and asymmetric JWT signing?
Symmetric signing, such as HS256 (HMAC with SHA-256), uses a single 'shared secret' string that is known by both the issuer of the token and the party verifying the token. It is simple to implement but requires both parties to securely manage the secret, as possession of the secret allows anyone to create valid tokens. Asymmetric signing, such as RS256 (RSA with SHA-256) or ES256 (ECDSA with SHA-256), uses a key pair: a private key used to sign the token and a public key used to verify it. This is more secure for distributed systems because the verifying service only needs the public key and does not have the ability to generate new tokens, significantly reducing the security risk if the verifier is compromised.
Is my data secure when using this JWT validator?
Yes, this tool is designed with a 'client-side only' architecture. Every calculation, decoding process, and signature verification happens locally within your own web browser's memory. No data is ever transmitted to a remote server, stored in a database, or saved to server-side logs during the validation process. Because the application does not utilize cookies, localStorage, or any persistent storage mechanisms, your JWTs and secret keys are immediately cleared from memory as soon as you close or refresh the browser tab. This ensures total privacy when handling sensitive authentication tokens and cryptographic keys.
Which JWT algorithms are supported by this tool?
This application supports the most common JWT algorithms used in modern web development. For symmetric authentication, it includes full support for HS256, HS384, and HS512. These require you to input the secret string used to sign the token to verify its integrity. For asymmetric authentication, the tool supports industry-standard algorithms including RS256, RS384, RS512, ES256, ES384, and ES512. When using these algorithms, the tool requires the public key in PEM format to verify that the signature was generated by the corresponding private key held by the authentication provider.
