JWT Generator: sign JSON Web Tokens with HMAC
Free online JWT generator. Sign and encode a JSON Web Token in your browser using HMAC — edit the header and payload as JSON, pick HS256, HS384, or HS512, supply your secret, then copy the resulting token. Signing happens locally via the SubtleCrypto API — no upload, no server round-trip.
JSON in, signed token out
A JWT is just three base64url-encoded chunks joined by dots: header.payload.signature. The signature is HMAC over the first two chunks.
{"sub":"1234567890","name":"Jane Doe","iat":1700000000,"role":"admin"}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzAwMDAwMDAwLCJyb2xlIjoiYWRtaW4ifQ.<signature>
What you'll use this for
JWTs are the standard for stateless authentication and short-lived service-to-service credentials.
Session tokens
Issue a signed JWT from your login endpoint and verify it on each API call.
API testing
Hand-craft a JWT with a custom sub or role claim for end-to-end tests.
Magic links
Embed short-lived signed payloads in URLs for password-reset or invite flows.
Webhook signing
Sign outbound webhook payloads with HMAC so consumers can verify origin.
How to sign a JWT
Edit the header
Keep typ:"JWT". The alg field is overwritten to match the selected algorithm.
Edit the payload
Add your claims: sub, exp, iat, aud, plus any custom fields like role.
Enter the secret
HMAC needs a shared secret. Use a long, random string in production — at least 256 bits for HS256.
Copy the token
The token appears below. Copy it to clipboard, paste into Authorization: Bearer …, or download it.
Frequently asked questions
The HMAC signature proves the token was created by someone who knows the shared secret — and that nobody altered the header or payload after signing. It does not encrypt the payload. Anyone with the token can base64url-decode the first two segments and read every claim.
HS512 produces a longer signature (~64 bytes vs ~32 for HS256) and is slower per sign/verify. HS256 is widely supported, fast, and considered secure when paired with a high-entropy secret of at least 256 bits. The weak link is almost always the secret, not the hash size.
Yes — base64url (RFC 4648 §5) uses only A-Z, a-z, 0-9, -, _. JWTs strip padding (=) for compactness. Any conformant JWT library accepts this. Some loose parsers also accept standard base64 with +// — but you should not produce it.
Not yet. This tool covers HMAC algorithms (HS256, HS384, HS512). RS256 (RSA-SHA-256) and ES256 (ECDSA-P256-SHA-256) require an asymmetric private key in PEM or JWK form, which is a different signing flow. Open an issue if you want it added.
Both go in the payload, alongside iat. They are Unix timestamps in seconds (not milliseconds). exp is "expires at" — verifiers reject tokens past this time. nbf is "not before" — verifiers reject tokens before this time. Always set exp in production; tokens that live forever are tokens that get stolen.
About JSON Web Tokens
A JSON Web Token (RFC 7519) is a compact, URL-safe representation of signed claims. The signing rules live in RFC 7515 (JWS). This tool implements the HMAC signing family (HS256/HS384/HS512) using the browser's SubtleCrypto API — no third-party libraries, no upload.
Token structure
- Header — JSON, base64url-encoded. Declares the algorithm and token type.
- Payload — JSON, base64url-encoded. Carries the claims.
- Signature — HMAC of
base64url(header) + '.' + base64url(payload), base64url-encoded.
Security notes
- Secret strength. HS256 demands at least 256 bits of entropy in the secret. Anything shorter is brute-forceable offline.
- Algorithm pinning. Verifiers must hard-code the expected algorithm — never trust the
algheader from the token itself. - Short lifetimes. Set
expaggressively. Pair short-lived access tokens with refresh tokens for a sane revocation story.