ZeroData Tools
Tools
JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output. JavaScript Beautifier Reformat dense JavaScript into readable code locally for debugging.
← Back to Blog Security

Understanding JWT Signatures & Verification: How to Do It Safely

· 6 min read

The security of a JSON Web Token (JWT) relies entirely on its signature. While the header and payload are simply Base64URL-encoded strings that anyone can read, the signature guarantees that the token has not been tampered with. If you need to check if a token is authentic, using our visual JWT Signature Verifier allows you to perform cryptographic checks 100% locally in your browser, keeping your keys and tokens completely private.

How a JWT Signature Is Created

A JWT is composed of three parts separated by dots: Header, Payload, and Signature. The signature is calculated by taking the encoded header, the encoded payload, a cryptographic algorithm, and a key: 

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

If even a single character in the payload is altered, the resulting hash will mismatch, and the server will reject the token.

Symmetric (HS256) vs. Asymmetric (RS256) Algorithms

There are two primary classes of algorithms used to sign JWTs:

  • Symmetric (HS256): Uses a single shared secret key for both signing and verification. Easy to configure, but whoever verifies the token must know the signing secret, which is a risk in multi-service infrastructures.
  • Asymmetric (RS256 / ES256): Uses a private key to sign the token and a corresponding public key to verify it. The verifying services only need the public key, meaning the signing secret never leaves the authentication server.

Why Local-First Verification Matters

When debugging signature mismatches during development, developers often paste their JWTs and verification secrets into online testing tools. If these tools send inputs to a backend server, your database access secrets, user claims, or API keys are exposed to a third party.

By utilizing client-side tools that leverage the browser's native Web Crypto API, you can verify signatures locally. The cryptographic keys never travel across the internet, protecting your configuration credentials.

Frequently Asked Questions

What is a JWT signature?
A JWT signature is the third part of a JSON Web Token. It is generated by hashing the encoded header and payload with a secret key or a private key, allowing the receiver to verify the token's authenticity and integrity.
What is the difference between symmetric and asymmetric JWT signatures?
Symmetric algorithms (like HS256) use the same secret key to sign and verify tokens. Asymmetric algorithms (like RS256 or ES256) use a private key to sign the token and a public key to verify it, which is safer for public API networks.
Is it safe to verify JWT signatures online?
Uploading private JWT keys or sensitive payloads to online servers is highly insecure. Always use local, client-side verification tools that process the cryptography in your browser.