ECDSA Verify Signature Online
Verify the authenticity of an ECDSA digital signature using the signer's public key. Supports NIST curves P-256, P-384, and P-521. Paste the public key, original message, and signature — the tool confirms whether the signature is valid (message is authentic) or invalid. Runs entirely in the browser.
Verification Checklist
- Public key must match the private key used for signing (same key pair)
- Message must be character-for-character identical to what was signed
- Curve must match: P-256 key cannot verify a P-384 signature
- Hash must match what was used during signing
- Signature encoding (base64 / hex) must match how it was produced
- Signature format: this tool uses P1363 (r||s), not DER
Signature Format Quick Reference
| Curve | P1363 size | Base64 length | Hex length |
|---|---|---|---|
| P-256 | 64 bytes | ~88 chars | 128 chars |
| P-384 | 96 bytes | ~128 chars | 192 chars |
| P-521 | 132 bytes | ~176 chars | 264 chars |
Frequently Asked Questions
Why does verification fail even though the signature looks correct?
Common causes: (1) Wrong curve — the public key was generated for P-256 but P-384 is selected; (2) Wrong hash — SHA-256 was used for signing but SHA-384 is selected; (3) Wrong encoding — signature was base64 but hex is selected; (4) Modified message — even a trailing newline or extra space makes verification fail; (5) Wrong public key — the public key must match the private key used for signing.
Can I verify a JWT ECDSA signature here?
You can verify the signature portion, but note that JWT signs the base64url-encoded header.payload string, not raw text. To verify a JWT ES256 signature: (1) extract the header.payload part (everything before the last dot), (2) paste it as the message, (3) decode the signature from base64url to base64 (replace - with + and _ with /), (4) use P-256 + SHA-256. For ES384 use P-384 + SHA-384, for ES512 use P-521 + SHA-512.
Is verification safe — does the public key leak anything?
Public keys are meant to be shared — they do not reveal the private key. Verification using a public key is a mathematically one-way operation. Nothing about the private key can be inferred from verification, even after many verification attempts.
What signature format does this tool expect?
This tool expects signatures in IEEE P1363 format (raw r||s concatenation), which is what the Web Crypto API and JWT use. This is different from DER format used by OpenSSL and Java. A P-256 P1363 signature is exactly 64 bytes (128 hex chars or ~88 base64 chars). If you have a DER signature, you need to convert it first.
What is the difference between DER and P1363 signature format?
DER (Distinguished Encoding Rules) encodes the r and s integers with type/length tags — the result is variable-length and starts with 0x30. P1363 (IEEE P1363) concatenates r and s as fixed-length big-endian integers — the result is a fixed length (64 bytes for P-256). Web Crypto API, JWT, and this tool use P1363. OpenSSL, Java, and traditional X.509 use DER.