Verifying a JWT proves it is authentic and unmodified — that whoever holds the secret really signed it. With HS256 you recompute the HMAC-SHA256 of the header and payload using your secret and compare it to the token’s signature. To verify, paste the token and secret into a validator. Here is why this matters and how it differs from decoding.
Drop the JWT you want to check into the box.
Provide the HMAC secret the token should have been signed with.
The signature is recomputed and compared — you get a clear valid or invalid result.
The validator also flags whether the exp claim is in the past.
Decoding is not verifying
The decoder shows what’s inside a token, but anyone can read or even forge a payload. Verifying checks the signature against your secret, which is the only thing that proves the token is genuine. The validator does this with the Web Crypto API.
Always verify on the server
For real authorization, verification must happen on a trusted server with the secret kept private — never trust a token a client claims is valid. This browser tool is for debugging and learning; treat the secret you paste as a test secret. Create test tokens with the generator.
Tip: A token can have a perfectly valid signature and still be expired — always check both the signature and the exp claim before trusting it.
Verify a JWT now
Check an HS256 signature with your secret — free, in your browser.
Open the JWT Validator →Frequently Asked Questions
How do I verify a JWT?
Recompute the HMAC-SHA256 of the header and payload with your secret and compare it to the token’s signature. A validator does this for you.
What’s the difference from decoding?
Decoding reveals the contents; verifying proves authenticity using the secret. Only verification can be trusted.
Is my token or secret uploaded?
No — verification runs in your browser with the Web Crypto API.