JWT + JWKS Verifier (Public Key Discovery)
Production JWT verifiers typically fetch the public key from a JWKS endpoint — the issuer's standard endpoint that lists current signing keys. This tool does that handshake in the browser: paste the JWT and the JWKS URL (or issuer URL — we'll find the JWKS), and get verification + decoded claims.
How to use the JWT + JWKS Verifier (Public Key Discovery)
Paste a JWT and its issuer's JWKS endpoint URL. Click verify. The tool fetches the JWKS, finds the matching key (by kid header), and validates the signature.
CORS note: the JWKS endpoint must allow cross-origin GET from codeswap.net. Most providers do (Auth0, Okta, AWS Cognito) but some lock it down.
How JWKS makes verification self-service
A token signed with RS256 or ES256 is verified with a public key — but which one? Issuers publish their current public keys at a JWKS endpoint, a JSON document listing one or more keys, each tagged with a key ID. The token's header carries a matching kid, so a verifier fetches the JWKS, picks the key whose ID matches, and checks the signature with it. This lets issuers rotate keys without redeploying every service that trusts them.
This tool performs that whole handshake in the browser: paste a JWT and the issuer's JWKS URL, and it fetches the key set, selects by kid, verifies the signature, and decodes the claims. Because the fetch happens from your browser, the JWKS endpoint must permit cross-origin requests — the big identity providers (Auth0, Okta, AWS Cognito) generally do, though some self-hosted setups lock it down.
Common use cases
- End-to-end verification — confirm a real token from your identity provider verifies against its live public keys.
- Key rotation debugging — check whether a token's
kidstill matches a key in the current JWKS. - Issuer onboarding — verify a new provider's JWKS endpoint returns usable keys before wiring it into your app.
- Incident triage — when logins start failing, see if the JWKS is reachable and the signature still checks out.
- Learning OIDC — watch how discovery turns an issuer URL into a verified, decoded token.