Verify HS256 JWT Signature Online
HS256 (HMAC-SHA256) is the most common JWT signing algorithm. It uses a shared secret known to both the token issuer and the verifying party. To verify an HS256 token you need the exact same secret string used to sign it.
This tool uses the browser's built-in SubtleCrypto API to import your secret as an HMAC-SHA256 key and run the cryptographic verification — no JavaScript library required, no network call made. Your token and secret never leave your device.
Common use cases: debugging auth middleware, confirming a staging secret matches production, verifying a third-party service's tokens before trusting them in your backend.
How to use
- Paste your JWT token into the input field on the main tool page.
- The header and payload are decoded instantly — review claims, algorithm, and expiry.
- To verify the signature, paste your HMAC secret or PEM public key and click Verify Signature.