JWT Invalid Signature — Causes & Fixes

What Invalid Signature Means

The signature doesn't match the header and payload when verified with the provided key. The token may be tampered, signed with a different key, or verified with the wrong algorithm.

Common Causes

• Wrong secret — HS256 verified with incorrect secret
• Algorithm mismatch — Token is RS256 but verified with HS256
• Modified payload — Any change invalidates the signature
• Key rotation — Old token verified with new key

Fix with JWKS

const jwksClient = require('jwks-rsa');
const client = jwksClient({ jwksUri: 'https://issuer/.well-known/jwks.json' });
const key = await client.getSigningKey(kid);
jwt.verify(token, key.getPublicKey());

Understanding JWT Invalid Signature — Causes & Fixes in Production

Developers search for JWT Invalid Signature — Causes & Fixes when building API authentication with JSON Web Tokens. JWTs are used by OAuth 2.0, OpenID Connect, Auth0, Firebase, AWS Cognito, and Keycloak. Always validate exp, iss, and aud server-side — decoding alone proves nothing about authenticity.

JWT Structure Recap

Every JWT has three dot-separated segments: header (algorithm), payload (claims), signature (proof). Use JWT Decoder to inspect and JWT Validator to verify before trusting any claim value in production code.

Common Pitfalls

• Algorithm confusion (none attack) — whitelist allowed algorithms
• Secrets in the payload — payload is only Base64-encoded, not encrypted
• Ignoring clock skew on exp and nbf
• Weak HMAC secrets — use 256-bit random keys
• Skipping signature verification — always call verify(), not decode()
• Storing tokens in localStorage — XSS can steal them

Further Reading

Browse related resources: JWT Decoder, JWT Validator, JWT Basics, JWT Authentication, JWT Errors, Algorithms, Glossary, and Learning Path.