Ed25519 Sign and Verify

Generate Ed25519 keys, sign messages, and verify signatures — all in your browser using the Web Crypto API. Fast, deterministic EdDSA over Curve25519.

Settings & Key Pair

Message Encoding

Signature Format

Key Format

Public Key

Private Key

Sign Message

Message to Sign

Verify Signature

Original Message Public Key (Hex) Signature (Hex)

About Ed25519 Sign and Verify

Ed25519 is a modern public-key signature scheme based on the Edwards-curve Digital Signature Algorithm (EdDSA) over Curve25519, designed by Daniel J. Bernstein and collaborators. It produces compact 64-byte signatures from 32-byte keys, is faster than RSA and ECDSA at the same security level, and is deterministic — the same message and key always produce the same signature, removing an entire class of implementation bugs that plague ECDSA.

This tool uses the browser's native SubtleCrypto Ed25519 implementation. You can generate a fresh key pair, sign any message, or verify a signature with someone else's public key. Inputs and keys never leave your browser.

Ed25519 is the signing algorithm behind modern systems like SSH, GnuPG, signify, age, Cloudflare Tunnels, Tor onion v3 addresses, OpenSSH host keys, JOSE/JWT EdDSA signatures, and most modern blockchains (Solana, Cardano, NEAR, Stellar, etc.).

How to Use Ed25519 Sign and Verify

Pick a Key Format: Raw Hex and Raw Base64 are 32-byte values (the canonical form for libraries like libsodium and tweetnacl). JWK follows RFC 8037 (kty: "OKP", crv: "Ed25519") and is what JOSE / JWT libraries expect. PEM wraps SPKI public and PKCS#8 private keys for OpenSSL interop.
Click Generate Key Pair to create a fresh Ed25519 key pair locally — or paste your own key in the chosen format.
In the Sign Message panel, type or paste the message you want to sign and click Sign. The signature is encoded in the format you picked (Hex = 128 chars, Base64 = 88 chars).
To verify, paste the original message, the signer's public key, and the signature into the Verify Signature panel and click Verify. The badge turns green for a valid signature, red for an invalid one or any decoding/import error.
Use Send to Verify → after signing to copy the message, public key, and signature into the verify panel for a quick round-trip check.

Frequently Asked Questions

Is my private key sent to a server?

No. Key generation, signing, and verification all happen inside your browser via the Web Crypto API. The private key is held in a non-extractable form during the operation and never leaves your device. Generated keys are only kept in the page's memory until you reload or click Reset.

Why is Ed25519 better than RSA or ECDSA?

Compared with RSA-2048, Ed25519 is faster, has smaller keys (32 bytes vs ≥ 256 bytes) and smaller signatures (64 bytes vs ≥ 256 bytes). Compared with ECDSA, Ed25519 is deterministic — you don't need a secure random number for every signature, which avoids the catastrophic key-leak class of bugs that hit Sony's PS3 and many Bitcoin wallets. Ed25519 also rejects malleable signatures by construction.

I get "Web Crypto API is not available" or the generator fails. Why?

The browser's Ed25519 support requires Chrome / Edge 113+, Safari 17+, or Firefox 130+. Older browsers don't expose Ed25519 in SubtleCrypto, and many in-app browsers (older Facebook / Instagram webviews) lag behind. Try Chrome, Edge, or Firefox on a desktop and the issue should clear.

What does the 32-byte private key actually contain?

In Ed25519 the private key is a 32-byte seed. The signing algorithm hashes the seed with SHA-512 to derive both the secret scalar and the per-message nonce, then computes the signature deterministically. PKCS#8 PEM private keys wrap that same 32-byte seed in an ASN.1 structure, and JWK encodes it base64url-encoded as the d field. All representations carry the same secret.

Why is verification deterministic but my signature changes when I re-sign?

It shouldn't. Ed25519 signatures are pure functions of (message, secret seed) — sign the same input twice and you must get the same 64 bytes. If you see a different output it usually means the message encoding changed (a different newline, an extra space, or a Hex/Base64 vs UTF-8 mismatch). Double-check the Message Encoding setting.

Can I verify a JWT signed with EdDSA?

Yes. Concatenate the JWT's first two segments with a dot (header.payload) — that string is what was signed. Set Message Encoding = UTF-8, paste the third segment as the signature with Signature Format = Base64 (after replacing -/_ with +// and adding = padding), and paste the JWK or PEM public key from the issuer's JWKS endpoint.

Does this support Ed448 or X25519 (key agreement)?

This tool is for Ed25519 signing only. X25519 is the key-agreement counterpart over the same curve — different operation, different keys. Ed448 is a higher-security variant over Curve448 with 57-byte signatures and slower performance; browser Web Crypto support is still uneven and it is not exposed by this page.