search

Found

info Overview

Paste a 32-byte Ed25519 public key, the message, and a 64-byte signature as hex, base64, or base64url. Browser Web Crypto runs RFC 8032 verification.

📘 How to Use

  1. Paste the Ed25519 public key (32 bytes) and pick its format (hex, base64, or base64url)
  2. Enter the signed message and the 64-byte signature, matching each format selector
  3. Read the Valid or Invalid badge plus the public key, message, and signature byte counts

Ed25519 Signature Verifier

Verification result

Fill the public key, message, and signature to verify automatically

Public key bytes
Message bytes
Signature bytes
Algorithm
Ed25519

※ RFC 8032 EdDSA on Edwards25519. Private key 32 B, public key 32 B, signature 64 B.

※ Uses the browser Web Crypto API (Ed25519). Chrome 137+, Safari 17+, Firefox 130+.

※ All work runs in the browser; the key, message, and signature are never sent to a server.

grid_view Related

Article

Ed25519 Signature Verifier | Check RFC 8032 EdDSA Signatures in Your Browser

Paste an Ed25519 public key, the message, and the signature, and the browser Web Crypto API runs RFC 8032 EdDSA verification to tell you whether the signature is valid for that key and message. Three encodings (hex, base64, base64url) let you drop in values from JWTs, SSH keys, or blockchain transactions as-is.

💡 About this tool

Ed25519 is EdDSA over the twisted Edwards form of Curve25519. Its 32-byte public keys and 64-byte signatures, plus fast verification, made it the default across the stack: the JWT EdDSA algorithm, OpenSSH ssh-ed25519 keys, and transaction signing in Solana, Cosmos, and NEAR.

If you have ever debugged signature verification, the questions are always the same. Did the server actually sign this payload? The key arrived base64-encoded but the other side documented it as hex — which one is right? A library upgrade quietly changed the output and now verify returns false. You want to isolate the problem without spinning up a Node REPL or a Python cryptography snippet.

Drop in the three values and the tool decodes each to a Uint8Array, checks the lengths (32 bytes for the key, 64 for the signature), imports the key with crypto.subtle.importKey, and calls crypto.subtle.verify. Each field has its own format selector, so a hex key alongside a base64 signature is no problem. The key, message, and signature stay in your browser and are never sent to a server.

🧐 Frequently Asked Questions

Do I need the private key? No. Verification only needs the public key. There is no private-key field and no signing function here — this tool verifies, it does not produce new signatures.

Should I paste a pre-hashed message? No. Ed25519 (PureEdDSA) hashes the entire message internally during signing and verification, so paste the exact raw message that was signed. A pre-hashed digest will come back Invalid.

What happens if I pick the wrong encoding? If a value fails to decode you get a red error, and if the key or signature is not 32 / 64 bytes you get a length warning. Re-check the per-field format selector (hex, base64, or base64url).

My browser says Ed25519 is not supported. Web Crypto Ed25519 ships in Chrome 137+, Safari 17+, and Firefox 130+. On older engines crypto.subtle.importKey throws, so the tool reports the lack of support. Try an up-to-date browser.

Can it verify Ed448 or secp256k1 signatures? No. This tool is Ed25519-only. Signatures on other curves are out of scope.

📚 Fun Facts

One reason Ed25519 spread so fast is deterministic signing. ECDSA needs a fresh random nonce per signature, and biased or reused nonces have leaked private keys in real incidents — including a famous PlayStation 3 console-signing key recovery. Ed25519 derives the per-signature value from the private key and the message instead, so the same key and message always yield the same signature and the whole class of nonce bugs disappears.

The "25519" comes from the prime 2²⁵⁵ − 19, which also names Curve25519. A public key fits in 32 bytes because a curve point compresses to a single coordinate plus a sign bit — the tidy math behind why an ssh-ed25519 key fits on one line where an RSA key sprawls across many.