JWT Generator

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It is commonly used for authentication and secure information exchange in web applications and APIs. You might need to generate a JWT to test a protected API endpoint, create sample tokens for documentation, or debug an authentication flow without running a backend.

This tool runs entirely in your browser using the WebCrypto API. No data is ever sent to a server. However, we recommend using a test/dummy secret key here rather than your real production secret, as best practice dictates never entering sensitive credentials into third-party websites.

The tool supports HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512) — the most widely used symmetric signing algorithms for JWTs. It also supports "none" (unsigned token) for testing purposes. Asymmetric algorithms like RS256 or ES256 require a private key and are not supported here.

All three are HMAC-based signing algorithms that differ only in the SHA hash function used: HS256 uses SHA-256 (256-bit signature), HS384 uses SHA-384, and HS512 uses SHA-512. HS256 is by far the most common choice. Use HS384 or HS512 if you need a stronger signature or your infrastructure requires it. All three are considered secure when used with a strong secret.

The payload is a JSON object containing "claims" — key-value pairs about the subject (user) or session. Standard registered claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). You can also add any custom claims your application needs. Use the "Add Standard Claims" helper to quickly add these common fields.

"none" produces an unsigned JWT — the signature section is empty. This should NEVER be used in production environments as it provides no integrity protection. It may be useful for testing parsers or generating tokens for systems that do not verify signatures, but always treat it as insecure.

The Standard Claims Helper lets you quickly add common JWT registered claims to your payload. Fill in the Subject (sub), Issuer (iss), and/or Audience (aud) fields and choose an expiry window. The tool automatically sets iat (issued at) to the current Unix timestamp and calculates exp (expiration) from the selected window. Clicking "Apply to Payload" merges these into your JSON.

A JWT has three parts separated by dots: Header (algorithm and token type), Payload (claims), and Signature. The breakdown displays each base64url-encoded part color-coded so you can visually identify the structure of your generated token. This is useful for learning JWT internals or comparing tokens side by side.

HMAC-based signatures are deterministic — if the header, payload, and secret are identical the output will always be the same. If you see a different token, check whether the iat (issued at) claim is being auto-updated to the current timestamp, which would change the payload and therefore the signature.

This tool is designed for generating and signing tokens. To decode and inspect an existing JWT, use the JWT Decoder tool. Cryptographic signature verification (confirming the token was signed by a specific secret) is not currently implemented in this generator — use a dedicated library or the JWT Decoder for verification.

The tool will display a red error message below the textarea and will not generate a token until the JSON is valid. Make sure all keys and string values are wrapped in double quotes, and that the overall structure is a valid JSON object. The "Load Sample" button restores a known-good example payload.

For HS256, the key should be at least 32 bytes (256 bits) — matching the hash output length. For HS384 use at least 48 bytes, and for HS512 at least 64 bytes. Using a shorter key is technically allowed but reduces security. Use the Password Generator tool to create a cryptographically random secret of the right length.