JWT verify (RSA / ECDSA)
ClientVerify asymmetric JWT signatures with a PEM public key—processed locally via Web Crypto.
About JWT verify (RSA / ECDSA)
Verify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Verify RS256/384/512 and ES256/384/512 signatures with an SPKI PEM public key. For HMAC, use JWT sign & verify. To read claims without verification, use JWT decode.
JWT
PEM public key
?
Paste a PKIX SPKI public key block (BEGIN PUBLIC KEY). Private keys stay off this page—verification only.
Keys and tokens are processed in your browser with Web Crypto; nothing is sent to Toolcore servers.
Nearby workflows on Toolcore
- JWT decode — Inspect JWT header and payload as JSON in browser; signature not verified. before you trust a token, digest, or key material in production.
- JWT sign & verify — Sign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims. before you trust a token, digest, or key material in production.
- JWT sign (RSA / ECDSA) — Sign RS256/384/512 or ES256/384/512 JWTs with a PKCS#8 PEM private key in the browser—Web Crypto only. before you trust a token, digest, or key material in production.
- PEM / X.509 viewer — Decode PEM certificates in the browser—subject, issuer, validity; paste only what you trust. before you trust a token, digest, or key material in production.
Common use cases
- Confirm an OIDC or API gateway RS256 token against a known public key PEM.
- Debug ES256 client assertions during integration without sending secrets server-side.
- Pair with JWT decode when you need both claim inspection and asymmetric verification.
Common mistakes to avoid
Pasting a private key
Only SPKI public keys belong here—never paste private PEM on shared machines.
Using HMAC secrets on this page
HS256 family tokens need JWT sign & verify with a shared secret, not PEM.
FAQ
Which algorithms are supported?
RS256, RS384, RS512, ES256, ES384, and ES512 with PKIX PEM public keys.
Does this replace server-side validation?
Use it for debugging and spot checks. Production APIs should still validate issuer, audience, and expiry in trusted code.
More tools
Related utilities you can open in another tab—mostly client-side.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
JWT sign & verify
ClientSign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims.
JWT sign (RSA / ECDSA)
ClientSign RS256/384/512 or ES256/384/512 JWTs with a PKCS#8 PEM private key in the browser—Web Crypto only.
PEM / X.509 viewer
ClientDecode PEM certificates in the browser—subject, issuer, validity; paste only what you trust.