I have a slight confusion regarding the online JWT validator jwt.io. As far as I understand, a JWT that is signed with the RS256 algorithm is signed with a private key, and all is needed to verify it is the corresponding public key.
If so, why is it that jwt.io lets you fill in the private key part?
>Solution :
jwt.io works in both directions, you can also add or modify values on the right side (the Decoded column) in the header and payload and then get a new signed token if you provide the private key.
As long as you only want to verify an asymmetric signed token, you only need to provide the public key.