Verify JWT HS256 recomputes the HMAC-SHA256 signature with your shared secret and compares it to the token's third segment. When valid, decoded header and payload JSON are included in the result so you can inspect claims without a separate decoder.
How it works
The token is split on . into header, payload, and signature segments. Each of the first two parts is Base64url-decoded to JSON. The tool then signs header.payload with your secret using HMAC-SHA256 and compares the result to the provided signature using a constant-time check. Mismatches, malformed segments, or wrong algorithms in the header are reported clearly.
When to use it
- Test agent authentication against HS256-secured APIs during development
- Debug tokens created by the sign-hs256 tool in this catalog
- Validate webhook signatures during local integration work
- Confirm a token was signed with a known secret before trusting its claims
Example
Sign a payload with sign-hs256, paste the token and the same secret here, and the tool reports Signature valid with the decoded header and claims in the output.
Limitations
Supports HS256 only—RS256 and other asymmetric algorithms are not handled here. Secrets are processed in browser memory; avoid production credentials on shared machines. Verification does not check exp, nbf, or issuer rules unless you inspect the decoded payload yourself.