How to verify a JWT HS256 signature

HMAC-SHA-256 (HS256) is the most common JWT signing algorithm for server-to-server tokens where both parties share a secret. Verifying the signature proves the token was issued by a server that knows the secret and that the claims have not been modified in transit. This guide walks through verification using the quickhelp.dev JWT Decoder — no Node.js or Python script required.

Step-by-step guide

1. Paste the token: Open quickhelp.dev/jwt-decoder and paste your HS256-signed JWT. Confirm 'alg: HS256' appears in the decoded header.
2. Enter the secret: Scroll to the Verify section. Enter your HMAC secret (the same string your server uses to sign tokens) in the Secret field.
3. Click Verify: The tool computes the expected signature and compares it to the token's signature. 'Verified ✓' means the token is authentic; 'Invalid signature' means it has been tampered with or the wrong secret was used.

Frequently asked questions

Is it safe to paste my HMAC secret here?

Use a test or non-production secret when verifying in any online tool. Never paste production secrets into third-party websites.

What if verification fails with the correct secret?

Check for trailing whitespace, encoding differences (the secret may be base64-encoded on your server), or clock skew affecting the iat/nbf claims.