JWT Generator
Create and sign JSON Web Tokens using HS256 (HMAC-SHA256)
Keep this secret in production โ never expose it client-side
About this tool
The JWT Generator creates signed JSON Web Tokens directly in your browser using the WebCrypto API. Enter a secret key and custom claims (payload), and it generates a valid HS256-signed JWT with correct base64url encoding. Nothing is sent to any server.
When to use it
- โGenerating test tokens for local API development without running auth servers
- โCreating JWTs with specific expiry and claims for manual integration testing
- โLearning JWT structure by experimenting with header, payload, and signature
- โMocking authentication flows in frontend prototypes
Tips
- โAlways include exp (expiry) and iat (issued-at) claims โ most JWT libraries reject tokens without them.
- โThe secret key strength is critical: use at least 256 bits (32 bytes) of random data for HS256.
- โNever use the same secret in production as in testing โ rotate keys when moving between environments.
Frequently asked questions
Is my secret key safe when using this tool?
Yes. The JWT is signed entirely in your browser using the WebCrypto API. Your secret key and payload never leave your device โ there is no network request.
What is the difference between HS256 and RS256?
HS256 uses a single shared secret for both signing and verification (symmetric). RS256 uses a private key to sign and a public key to verify (asymmetric), which is safer when the verifier is a different party from the signer.
Why does my JWT have three dot-separated parts?
A JWT consists of three base64url-encoded parts: the header (algorithm and token type), the payload (claims), and the signature. They are concatenated with dots: header.payload.signature.
Can I use this JWT in production?
You can use the format, but never hardcode secrets generated or tested here in production systems. Always load secrets from environment variables or a secrets manager.