When using the CryptoKey class for signing and verification for instance JWT , mismatches in hash, PSS padding, or encoding options commonly cause invalid signature errors in the status object returned by .verify(). To prevent this, always use identical options for both methods and verify immediately after signing for debugging.
Below is an example demonstrating consistent usage for RSA with PSS (suitable for PS256 JWTs):

$settings:=New object("type"; "RSA"; "size"; 2048) $key:=4D.CryptoKey.new($settings) $message:="Secure message" $options:=New object("hash"; "SHA256"; "pss"; True; "encoding"; "Base64URL") $signature:=$key.sign($message; $options) $status:=$key.verify($message; $signature; $options) If (Not($status.success))     ALERT("Signature invalid: Check options or key") End if

For ECDSA (e.g., ES256), omit "pss" as it's RSA-only. Use "hash": "SHA256" and match the curve ("prime256v1"). Export the public key via .getPublicKey() for separate verification.