Create and sign JWTs with a custom payload and secret key.
Create signed JWT tokens with HMAC (HS256, HS384, HS512). All signing happens in your browser.
Supported alg: HS256, HS384, HS512
iat is set automatically to current time when you generate.
Shortcut: Ctrl+Enter or Cmd+Enter to generate
Create JWTs for development and testing. Use standard claims like sub, iat, exp, iss, aud. Signing uses the Web Crypto API in your browser—100% browser-side, no server, no data sent.
After generating a token, inspect claim timing and token structure in our JWT encoder decoder to validate header, payload, exp, nbf, and iat values before using it in your auth flow.
Step-by-step chains that connect related tools for common tasks.
Advertisement
A JWT is a compact, URL-safe token composed of three Base64url-encoded sections: header (algorithm and type), payload (claims like user ID and expiration), and signature. The server signs the header+payload with a secret key; the client sends the JWT in subsequent requests and the server verifies the signature to confirm authenticity.
HS256 (HMAC-SHA256) is the most widely supported and sufficient for most applications. HS384 and HS512 produce larger signatures but are otherwise equivalent for symmetric signing. All three are browser-safe and use the Web Crypto API. If you need asymmetric signing (public/private key), use RS256 or ES256 instead — those are not supported in this tool.
No. Signing runs entirely in your browser using the Web Crypto API. Your secret key and payload never leave your device. Do not use real production secrets in any browser-based tool; use a dedicated key management system for production JWTs.
An API key is a static opaque string — the server looks it up in a database to authenticate. A JWT is a self-contained token — the server verifies the signature without a database lookup. JWTs carry claims (user ID, roles, expiry) and expire automatically; API keys do not expire unless revoked.
Advertisement