AuthBox — JWT Verifier (RS256 default)

Server's RSA public key (used to verify RS256 tokens)

AUTHBOX_RSA_PUBLIC_KEY_v1_secret_value_intended_for_verification_only

In real life this would be a PEM-encoded RSA public key. Here it's a string — the principle is the same. The verifier reads it as bytes for whichever algorithm the token specifies.

Forge a token

Header (JSON) Payload (JSON) HMAC secret (paste public key for the attack)

Verify a token

Token to verify