JWT Generator
Sign and encode a JSON Web Token in your browser using HMAC. Edit the header and payload as JSON, pick HS256, HS384 or HS512, supply your secret, and copy the resulting token. Signing happens locally via the SubtleCrypto API — no upload, no server round-trip.
JSON in, signed token out
A JWT is just three base64url-encoded chunks joined by dots: header.payload.signature. The signature is HMAC over the first two chunks.
{"sub":"1234567890","name":"Jane Doe","iat":1700000000,"role":"admin"}eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzAwMDAwMDAwLCJyb2xlIjoiYWRtaW4ifQ.<signature>
What you'll use this for
JWTs are the standard for stateless authentication and short-lived service-to-service credentials.
Session tokens
Issue a signed JWT from your login endpoint and verify it on each API call.
API testing
Hand-craft a JWT with a custom sub or role claim for end-to-end tests.
Magic links
Embed short-lived signed payloads in URLs for password-reset or invite flows.
Webhook signing
Sign outbound webhook payloads with HMAC so consumers can verify origin.
How to sign a JWT
Edit the header
Keep typ:"JWT". The alg field is overwritten to match the selected algorithm.
Edit the payload
Add your claims: sub, exp, iat, aud, plus any custom fields like role.
Enter the secret
HMAC needs a shared secret. Use a long, random string in production — at least 256 bits for HS256.
Copy the token
The token appears below. Copy it to clipboard, paste into Authorization: Bearer …, or download it.
Frequently asked questions
The HMAC signature proves the token was created by someone who knows the shared secret — and that nobody altered the header or payload after signing. It does not encrypt the payload. Anyone with the token can base64url-decode the first two segments and read every claim.
HS512 produces a longer signature (~64 bytes vs ~32 for HS256) and is slower per sign/verify. HS256 is widely supported, fast, and considered secure when paired with a high-entropy secret of at least 256 bits. The weak link is almost always the secret, not the hash size.
Yes — base64url (RFC 4648 §5) uses only A-Z, a-z, 0-9, -, _. JWTs strip padding (=) for compactness. Any conformant JWT library accepts this. Some loose parsers also accept standard base64 with +// — but you should not produce it.
Not yet. This tool covers HMAC algorithms (HS256, HS384, HS512). RS256 (RSA-SHA-256) and ES256 (ECDSA-P256-SHA-256) require an asymmetric private key in PEM or JWK form, which is a different signing flow. Open an issue if you want it added.
Both go in the payload, alongside iat. They are Unix timestamps in seconds (not milliseconds). exp is "expires at" — verifiers reject tokens past this time. nbf is "not before" — verifiers reject tokens before this time. Always set exp in production; tokens that live forever are tokens that get stolen.
About JSON Web Tokens
A JSON Web Token (RFC 7519) is a compact, URL-safe representation of signed claims. The signing rules live in RFC 7515 (JWS). This tool implements the HMAC signing family (HS256/HS384/HS512) using the browser's SubtleCrypto API — no third-party libraries, no upload.
Token structure
- Header — JSON, base64url-encoded. Declares the algorithm and token type.
- Payload — JSON, base64url-encoded. Carries the claims.
- Signature — HMAC of
base64url(header) + '.' + base64url(payload), base64url-encoded.
Security notes
- Secret strength. HS256 demands at least 256 bits of entropy in the secret. Anything shorter is brute-forceable offline.
- Algorithm pinning. Verifiers must hard-code the expected algorithm — never trust the
algheader from the token itself. - Short lifetimes. Set
expaggressively. Pair short-lived access tokens with refresh tokens for a sane revocation story.