JWT.io - HS256 validation false positivites AFTER initial verification?


After initial validation of JWT HS256, all subsequent input secrets (right or wrong) display Signature Verified.

I should be able to validate, remove a character then see Invalid Signature. Re-type that character and the signature is valid again.

Now luckily I used the JavaScript Web Crypto API to double check but JWT.io will just say yes to anything for HS256.