JWT Generator
Sign JSON Web Tokens locally with HS256, HS384, or HS512 — WebCrypto API, no data leaves your browser.
About this tool
A browser-based JWT generator that signs tokens using HMAC algorithms (HS256, HS384, HS512) via the WebCrypto API. Edit the payload JSON, add standard time claims with one click, and copy the signed token to test your authentication flows without a backend.
How to use it
Quick steps to get the most out of this utility.
- 1
Choose an algorithm
Select HS256 (most common), HS384, or HS512. All three use a shared secret and produce a compact token.
- 2
Enter a secret
Type any string as your signing secret. Use a random test value — never a real production secret.
- 3
Edit the payload
Modify the JSON payload. Use the quick-insert buttons to add iat (now), exp (+1 hour), or nbf claims.
- 4
Generate and copy
Click "Generate JWT" to sign the token and copy it. Click the decoder link to inspect it immediately.
How JWT signing works
A JWT is three Base64URL-encoded segments joined by dots: header, payload, and signature. The header declares the algorithm; the payload carries the claims. The signature is computed by running HMAC-SHA256(base64url(header) + "." + base64url(payload), secret) and Base64URL-encoding the result. This makes it impossible to tamper with the header or payload without knowing the secret — the receiver recomputes the HMAC and rejects any mismatch.
HS256 vs HS384 vs HS512
All three algorithms use HMAC with different SHA hash lengths. HS256 produces a 256-bit signature and is the most widely supported default. HS384 and HS512 produce longer signatures and are marginally harder to brute-force, but the practical security difference is negligible if you're using a sufficiently random secret (32+ bytes). The JWT spec recommends HS256 as the baseline — upgrade only if your security policy requires it.
When to use asymmetric signing (RS256/ES256)
HMAC requires all parties to share the same secret — any service that verifies the token can also forge one. If you have multiple microservices or external verifiers, asymmetric signing (RS256, ES256) is safer: the issuer signs with a private key, verifiers use only the public key. This tool covers HMAC for simplicity; for asymmetric JWTs, use a server-side library like jsonwebtoken (Node) or PyJWT (Python).
Frequently asked questions
Is it safe to use a real secret here?+
No — never paste a real production secret into any website, including this one. Use this tool with test secrets only. All signing happens locally in your browser via the WebCrypto API and nothing is transmitted, but it is good practice to keep production secrets out of browser tools entirely.
What algorithms are supported?+
This tool supports HMAC-based algorithms: HS256, HS384, and HS512. These use a shared secret for signing. Asymmetric algorithms (RS256, ES256) require a key pair and are not yet supported.
What is the difference between iat, exp, and nbf?+
iat (issued at) is a Unix timestamp for when the token was created. exp (expires at) is when the token should be rejected — the most critical claim for security. nbf (not before) is a timestamp before which the token should not be accepted.
How do I verify the signature?+
Verification always happens server-side. Your backend receives the JWT, recomputes the HMAC with the known secret, and compares it to the signature in the token. If they match and the claims are valid (exp not past, aud correct, etc.), the token is accepted.
Can I decode the token I just generated?+
Yes — there is a link to the JWT Decoder tool directly below the generated token. You can also paste it into the decoder at /tools/jwt-decoder to inspect the header, payload, and expiration status.
Keep exploring
More utilities and reading from Toolisk.