JWT Verifier
Verify that a JWT was signed with the secret you have. Donfig uses the browser's native Web Crypto API to compute HMAC-SHA-256 over the token's header.payload and compares it to the supplied signature segment. The Verify panel shows green if the signature matches and red otherwise, plus a precise reason on failure ("signature does not match", "alg unsupported"). Toggle base64url-encoded if your secret is itself encoded. The token is also fully decoded so you can inspect its claims at the same time.
JavaScript is required to use the live tool. Please enable JavaScript and reload.
Frequently asked
Which algorithms can be verified in the browser?
HS256 (HMAC-SHA-256) is supported via Web Crypto. RS256 / ES256 require the issuer's public key and a follow-up implementation.
How do I know which secret to use?
It's whatever your auth server uses to sign. For dev/staging, often a string in your config; for prod, a high-entropy secret you should rotate if exposed.
What does 'alg unsupported' mean?
Your token's header declares an algorithm Donfig can't verify in the browser yet (e.g. RS256). The decode still works for inspection.