JWT.io is a tool for developers to decode, verify, and generate JSON Web Tokens (JWTs). During JWT verification, the public key is used to validate the JWT's signature. JWT.io does not automatically know your public key unless you provide it when using the tool to verify a JWT.
When you obtain a JWT and wish to confirm its validity, you need a public key or a verification key, depending on the JWT's signing algorithm. For example, if the JWT uses the RS256 algorithm, which is based on RSA, it requires a public key to validate the signature. You must enter this public key into the public key input field provided by JWT.io so that JWT.io can use it to verify the validity of the JWT's signature.
Here is an example to illustrate this process:
Suppose you have a JWT that uses the RS256 signing algorithm. This token might look like this:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZSBEdWUiLCJpYXQiOjE1MTYyMzkwMjJ9.sZsTsy3fGAcn4JR0A-XH4tyKtA5p6s2B8JfbCJGzGsw5AI25u1pJ1zGt8nB_H8K4TieDYiUHX4fZLc8VZcJFSKg
You need to verify whether this JWT was issued by an entity possessing the corresponding private key. At this point, you will find a text area on the JWT.io page where you are required to input the public key. Suppose your public key is as follows:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzKVTuYAHqQ... -----END PUBLIC KEY-----
You paste this public key into the public key input field provided by JWT.io, and JWT.io will use it to validate the JWT's signature. If the verification succeeds, it means the JWT is valid and was indeed issued by an entity possessing the corresponding private key. If the verification fails, it may indicate that the JWT has been tampered with or that you provided the wrong public key.
In summary, JWT.io does not automatically know your public key; you must manually provide it for the tool to assist in verifying the JWT.