Verifying Signatures Without a Backend
Traditionally, JWT signature verification requires a backend. But what if you’re offline, in a restricted network, or just want to validate a token locally? JWT Viz brings cryptographic verification to the browser using the Web Crypto API.
Supported Algorithms
- HS256: HMAC with SHA-256 (symmetric secret)
- RS256: RSA with SHA-256 (asymmetric public key)
How It Works
When you paste a public key or secret:
- Header and payload are re-encoded
- Signature is decoded from Base64Url
crypto.subtle.verify()checks integrity- Result: “Verified”, “Invalid”, or error
Use Cases
- Log Analysis: Verify tokens from logs match expected keys
- Penetration Testing: Test if weak secrets are in use
- Education: Teach signature concepts hands-on
Limitations
Client-side verification is for inspection only. Production systems must verify on the server. Never trust client-validated tokens for access control.
Security Notes
- Keys are never stored or sent
- Works in memory only
- Supports PEM SPKI format for RS256
FAQ
Can I verify ES256 or EdDSA?
Not yet—Web Crypto support is limited. RS256/HS256 cover 95% of use cases.
Is this safe for production secrets?
Yes for inspection. Avoid pasting highly sensitive keys in shared environments.
Why not use jwt.io?
JWT Viz is offline, private, and offers tree visualization + export.
Verify signatures anywhere. No backend. No excuses.