Explanation of the JWT Signature Verification Process

Hi everyone,

As I am quite new in the topics of Auth0, JWT, JWKS, etc., I have spent the better part of the last couple of weeks really trying to sink my teeth into the whole picture. My native language is COBOL and since there seemingly are no resources out there for COBOL developers wanting to verify JWTs, I have been writing my own. I have everything going great up until the point of the actual JWT signature verification. Here is my understanding so far for using RS256 method.

  1. Find a valid JWKS record from the API for my company’s domain.
  2. String together the JWT header + . + payload.
  3. Using SHA-256, hash the above string.
  4. From JWKS, build a certificate using the x5c record from the JWKS. This certificate becomes the public key.

I know there is a difference between signing and encryption and I have seem to found conflicting information on the last steps of this process. Do I use the public key to encrypt the hashed string using the RSA encryption method? Or do I decode the base64url representation of the signature and then decrypt that string using the RSA decryption method?

Like I said, I have not seen any article or information available that really breaks down all the details of the process. And since I am having to write my own routine from scratch (with no help from inherent “verify signature” routines in COBOL), I am trying to ensure that all of this is written correctly.

Any help\guidance would be greatly appreciated!!

Hey there!

Terribly sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes our bandwidth is just not enough for all the questions that are coming in. Sorry for the inconvenience!

Do you still require further assistance from us?


While I never really found a true algorithmic breakdown of the signature verification process to truly explain what is going on, I worked with our ISV in constructing a solution based on already written SDK’s for JWT verification. I would surely still benefit, and I’m sure others would as well, from an explanation of the moving parts of the signature verification process.