jwt: signature is invalid: what it means and how to fix it

TL;DR: Validate locally, fix the first real error, validate again (no upload).

Fix jwt: signature is invalid by decoding safely and locally (no upload).

What the error means

jwt: signature is invalid means a decoder rejected the input as invalid encoding. The fastest path is to identify what format you have, normalize it, then decode again.

Most common real-world causes

JWT problems are often: not 3 segments, wrong key/algorithm, or option mismatch (aud/iss/sub).
The input is not actually encoded in the expected format (Base64 vs Base64URL vs plain text).
You copied only part of the string (truncated token/payload).
Whitespace/newlines were introduced during copy/paste.
Wrong character set: URL-safe Base64 uses '-' and '_' instead of '+' and '/'.
You decoded using the wrong function (decodeURIComponent on non-URL-encoded data, atob on non-Base64).

Fast debugging steps

If you see a JWT library error, decode the token parts first to confirm structure and claims.
Confirm what you are decoding (URL encoding, Base64, Base64URL, JWT).
Trim whitespace and remove line breaks before decoding.
If it's a JWT, ensure it has 3 dot-separated parts (header.payload.signature).
If it's Base64URL, convert '-' -> '+' and '_' -> '/' and add padding if needed.

Code example (go)

// Go JWT structure decode (no signature verification)
package main

import (
  "encoding/base64"
  "fmt"
  "strings"
)

func main() {
  parts := strings.Split(token, ".")
  if len(parts) != 3 {
    panic("JWT must have 3 segments")
  }

  decode := func(s string) []byte {
    b, err := base64.RawURLEncoding.DecodeString(s)
    if err != nil {
      panic(err)
    }
    return b
  }

  fmt.Println("header", string(decode(parts[0])))
  fmt.Println("payload", string(decode(parts[1])))
  // Signature verification requires the signing key.
}

Fix without uploading data

Encoded strings often contain secrets (tokens, IDs). Decode locally and share only redacted snippets.

URL Encode/Decode for percent-encoding.
Base64 Encode/Decode for Base64/Base64URL payloads.
JWT Decoder to inspect header/payload without uploads.

FAQ

Is Base64 the same as Base64URL? No. Base64URL uses '-' and '_' and often omits padding. Normalize before decoding.

Does decoding a JWT verify it? No. Decoding shows claims; verification requires the signing key.

Next steps

Related tools

Base64 Encode/Decode URL Encode/Decode Query string ↔ JSON JWT Decoder

Related guides

URL encoding explained Decode Base64 without uploading Encode Base64 without uploading Base64URL vs Base64 Base64URL → Base64 convert Base64 padding (=) explained atob/btoa explained Decode JWT without uploading

Related by intent

jwt: token is expired: what it means and how to fix it jwt: token contains an invalid number of segments: what it means and how to fix it Go: decode Base64URL (JWT) safely Go: JWT payload Base64URL debug workflow

Privacy & Security

All processing happens locally in your browser. Files are never uploaded.