Is it safe to paste a real JWT into this verifier?
Yes. Parsing, JWKS fetching, and signature verification all run in your browser with the WebCrypto API, so the token and keys are never uploaded, stored, or logged. Only public keys are involved. That said, treat any live access token like a password and prefer short-lived test tokens when you can.
Why does fetching my JWKS URL fail?
Because the request comes from your browser, the endpoint must send CORS headers (Access-Control-Allow-Origin). Keycloak's JWKS endpoint does, so fetching a Keycloak realm's keys works out of the box. If another provider blocks cross-origin requests, open the JWKS URL directly, copy the JSON, and paste it into the JWKS JSON field instead.
Which algorithms does this verifier support?
RS256, RS384, and RS512 (RSA) plus ES256 and ES384 (ECDSA), which covers the asymmetric algorithms Keycloak and most OIDC providers issue by default. Tokens with alg "none" are always rejected. HS256-family tokens are not supported because they are signed with a symmetric secret that, by definition, never appears in a JWKS.
Where do I find my Keycloak JWKS URL?
It follows the pattern https://<host>/realms/<realm>/protocol/openid-connect/certs. You can also look it up in the realm's OIDC discovery document at /realms/<realm>/.well-known/openid-configuration under the jwks_uri field. Make sure the realm in the URL matches the realm in your token's iss claim.