Free Developer Tool

JWKS & JWT Signature Verifier

Paste a JWKS URL or JWKS JSON plus a JWT and get an instant signature verdict. Verification runs entirely in your browser with the WebCrypto API, so nothing leaves the page.

This free JWKS verifier checks whether a JWT was really signed by your identity provider. It matches the token's kid against the keys in your JWKS, verifies the RS256/RS384/RS512 or ES256/ES384 signature with WebCrypto, and runs claim checks for exp, nbf, iat, iss, and aud. No token or key is ever uploaded, stored, or logged.

100% Client-Side WebCrypto Verification No Signup Required
Keys & Token

Fetching happens in your browser, so the endpoint must allow CORS. Keycloak's JWKS endpoint sends CORS headers, so fetching works. If your provider blocks it, paste the JWKS JSON below instead.

or paste JWKS JSON
Verification Result

No token verified yet

Provide a JWKS and a JWT, then click Verify Signature to get a verdict.

Now Do This in Production

Skycloak runs managed Keycloak with automatic signing-key rotation and always-available JWKS endpoints, so verification like this just works. No ops burden.

Start Free Trial

What Is a JWKS?

A JSON Web Key Set (JWKS) is a JSON document that publishes the public keys an identity provider uses to sign its tokens. Each entry in the keys array is a JSON Web Key (JWK) describing one key: its type (kty), intended use (use: "sig"), algorithm (alg), and a key ID (kid).

Keycloak serves its JWKS at /realms/<realm>/protocol/openid-connect/certs, and any client can fetch it to verify tokens without ever seeing a private key. That is the whole point: the signing key stays secret on the server, while the verification key is public by design.

For a deeper walkthrough of the format and how rotation works, read our guide to understanding JWKS (JSON Web Key Sets).

How kid Matching Works

Every signed JWT carries a kid (key ID) in its header. Verification uses it as a lookup:

  1. Read the header: the verifier decodes the JWT header and reads the kid and alg values.
  2. Find the key: it scans the JWKS for a key whose kid matches, then imports that public key.
  3. Verify: it checks the signature over the header and payload with that key. Any other key in the set is irrelevant.

The kid is what makes key rotation seamless: an identity provider can publish the new key alongside the old one, and tokens signed by either keep verifying until the old key is retired. This tool shows you the match status explicitly, and falls back to trying every signing key when the kid is missing or unmatched.

Why Signature Verification Matters

Decoding a JWT is not verification. Anyone can mint a token with any claims they like: admin: true, your user's email, a fresh expiry. The only thing that ties a token to your identity provider is the signature, so a backend that trusts decoded claims without verifying them is effectively unauthenticated.

If you only need to inspect a token's contents, our JWT Token Analyzer does that. This tool goes one step further and answers the question that matters in production: was this token really signed by the key set you trust?

In your own services, do this check on every request with a proper JWT library. Our guide to verifying a Keycloak-issued access token on the backend walks through the full server-side flow, including JWKS caching and issuer checks.

Common Verification Failures

When a signature check fails against keys you believe are correct, it is usually one of these:

  • kid mismatch after rotation: the realm rotated its signing key and the token was issued by a key that is no longer (or not yet) in the set you fetched.
  • Stale JWKS cache: your backend cached the JWKS before a rotation and never refetched. Verifying against a freshly fetched set here but failing in production is the classic symptom.
  • Wrong realm URL: fetching the JWKS from the master realm while the token was issued by another realm. Compare the token's iss claim with the realm in your JWKS URL.
  • Clock skew: a token that is valid cryptographically but rejected on exp or nbf because the issuer and verifier disagree on the time. Allow a small skew window.

Frequently Asked Questions

Is it safe to paste a real JWT into this verifier?

Yes. Parsing, JWKS fetching, and signature verification all run in your browser with the WebCrypto API, so the token and keys are never uploaded, stored, or logged. Only public keys are involved. That said, treat any live access token like a password and prefer short-lived test tokens when you can.

Why does fetching my JWKS URL fail?

Because the request comes from your browser, the endpoint must send CORS headers (Access-Control-Allow-Origin). Keycloak's JWKS endpoint does, so fetching a Keycloak realm's keys works out of the box. If another provider blocks cross-origin requests, open the JWKS URL directly, copy the JSON, and paste it into the JWKS JSON field instead.

Which algorithms does this verifier support?

RS256, RS384, and RS512 (RSA) plus ES256 and ES384 (ECDSA), which covers the asymmetric algorithms Keycloak and most OIDC providers issue by default. Tokens with alg "none" are always rejected. HS256-family tokens are not supported because they are signed with a symmetric secret that, by definition, never appears in a JWKS.

Where do I find my Keycloak JWKS URL?

It follows the pattern https://<host>/realms/<realm>/protocol/openid-connect/certs. You can also look it up in the realm's OIDC discovery document at /realms/<realm>/.well-known/openid-configuration under the jwks_uri field. Make sure the realm in the URL matches the realm in your token's iss claim.

© 2026 Skycloak. All Rights Reserved. Design by Yasser Soliman