JWT Generator
Build and sign JSON Web Tokens with a custom header, payload, and secret. All signing happens locally — nothing leaves your browser.
Keep your secret private. Never expose it in client-side code or version control.
What is a JWT Generator?
A JWT generator creates signed JSON Web Tokens from a payload you define and a secret or key you provide. JWTs are used to securely transmit information between parties as a compact, self-contained token. The generator lets you specify standard claims like expiry (exp), issuer (iss), and subject (sub), add custom claims, choose a signing algorithm (HS256, RS256, etc.), and immediately get a token you can use for testing or development without spinning up an auth server.
Common Use Cases
- Generate test tokens with specific roles or claims for local API development
- Create tokens with custom expiry times to test token refresh logic
- Prototype authentication flows before integrating a real identity provider
- Reproduce authentication bugs by generating tokens with exact claim values
- Learn the JWT structure hands-on by editing payloads and observing the encoded output
How It Works
The tool Base64URL-encodes the header JSON and payload JSON, concatenates them with a dot, then signs the result using the selected algorithm. For HMAC algorithms (HS256/HS384/HS512) the SubtleCrypto.sign() API signs with your provided secret. The resulting signature is Base64URL-encoded and appended as the third segment. All signing happens in your browser — the secret never leaves your machine.
Frequently Asked Questions
Is it safe to use this tool with real secrets?
Signing runs in your browser and nothing is transmitted, but treat production secrets with care. For sensitive environments, prefer generating tokens locally with a library like jsonwebtoken (Node.js) rather than any online tool.
What is the difference between HS256 and RS256?
HS256 uses a shared secret (HMAC-SHA256) — both the issuer and verifier need the same key, so it is only suitable when you control both sides. RS256 uses an RSA private key to sign and a public key to verify — the public key can be shared freely, making it suitable for public-facing APIs.
What should I put in the payload?
Include only the claims your application needs: user ID, roles, expiry, and issuer. Avoid storing sensitive data (passwords, PII) in the payload — JWT payloads are Base64-encoded, not encrypted, so anyone with the token can read them.
Related Tools
JWT Decoder
Decode and inspect JSON Web Tokens securely in your browser.
JSON Formatter
Format, validate, and minify JSON data instantly.
Base64 Encoder
Encode and decode strings using Base64 encoding.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes instantly.
URL Encoder
Encode and decode URLs with percent-encoding instantly.
Unix Timestamp
Convert Unix timestamps to human-readable dates and back instantly.
JSON ↔ YAML
Convert between JSON and YAML instantly with real-time validation.
Regex Tester
Test and debug regular expressions with live match highlighting.
UUID Generator
Generate UUID v4 values instantly, with bulk generation and validation.
Text Diff
Compare two blocks of text and highlight additions, deletions, and unchanged lines.
Case Converter
Convert text to camelCase, snake_case, UPPERCASE, kebab-case, and more.
Cron Parser
Parse cron expressions into plain English and see the next scheduled run times.
SQL Formatter
Format and minify SQL queries with dialect support for MySQL, PostgreSQL, SQLite, and more.
CSV ↔ JSON
Convert CSV to JSON or JSON to CSV with support for custom delimiters and quoted fields.
Number Base Converter
Convert between decimal, hexadecimal, octal, and binary number bases.
Color Converter
Convert colours between HEX, RGB, HSL, HSV, and CMYK formats.
How JWT signing works: A JWT is assembled from a Base64URL-encoded header and payload, joined by a dot. The HMAC algorithm then signs this string using your secret key, producing the signature — the third segment. Tampering with the header or payload invalidates the signature.
Signing uses the browser's native crypto.subtle Web Crypto API. Your secret and payload never leave your device.