HS256 Signature Verifier - Free, No Sign-Up
Overview
HS256 (HMAC-SHA256) signs a JWT by computing an HMAC over the header and payload using a shared secret. Paste the token, enter the secret, and the tool re-computes the signature using Web Crypto API in your browser. A green badge means the computed HMAC matches the third segment of the token; red means the secret is wrong or the token was tampered with.
How to Use This Tool
Paste your JWT into the input field. Select HS256, HS384, or HS512 from the algorithm dropdown. Enter the secret key (plain text or Base64 depending on how your server stores it). Click Verify. The result shows immediately without any network request.
Ready to get started? It's free, no registration required, and your files never leave your device.
PDF Tool →Frequently Asked Questions
What is the difference between HS256, HS384, and HS512?
All three use HMAC with a shared secret. The number refers to the SHA output size: 256, 384, or 512 bits. HS256 is the most common. HS512 produces a longer, harder-to-brute-force signature but requires more bytes in the token.
My secret is stored as Base64 in the server config. Do I enter the raw or Base64 version?
Enter the raw decoded secret. The tool expects the plain-text secret that your server decodes before signing. If your server Base64-decodes the config value before signing, decode it first before pasting here.
Can this tool verify RS256 or ES256 tokens?
No. RS256 and ES256 use asymmetric key pairs. Verification requires the public key, not a shared secret. The tool supports only HMAC algorithms: HS256, HS384, and HS512.