Why do I need a private key to verify a JWT?

Just looked at the video here RS256 vs HS256 What's the difference? and it says that for RS256 algorythm a private key is used to create a JWT signature and a public key is used to veirfy the signature. This makes total sense.

Why does jwt.io ask for my private key to verify the signature?

If I need to share the private key, then this is no different from HS256 where the same key is used to both create and verify the signature?

Ok, it looks like I actually can verify a token with just the public key (which was my main concern), but still curious why jwt.io requires a private key. This is pretty confusing.

1 Like

Hey there @okneloper !

Thanks for following up on this - I agree the language there is a bit confusing :thinking: FWIW if you are using RS256 jwt.io should automatically verify the signature for you without having to paste in your public key at all. It does this by using the issuer iss claim to call the jwks endpoint and use the public key from there.

1 Like

Thanks. I was testing my own token (signed by Laravel Passport) on jwt.io.

Just tried again, and got “Signature Verified” with just the public key.

I presume you fixed it :slight_smile: thanks

P.S. when I said

I meant in my application. jwt.io wouldn’t let me do that yesterday.

1 Like

Thanks for following up and clarifying!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.