JWT Generator
Generate JSON Web Tokens with custom header, payload, and HMAC-SHA256 signing. All processing happens in your browser using Web Crypto API.
HMAC-SHA256
HS256 is a symmetric signing algorithm. Both token creator and verifier share the same secret key. Suitable for server-to-server communication and internal APIs.
Standard Claims
iss— Issuersub— Subject (user ID)aud— Audienceexp— Expiration (Unix timestamp)iat— Issued at
Security Note
This tool generates JWTs for testing and development only. Never use weak secrets in production. For production systems, use RS256 (asymmetric) and manage keys securely. All signing happens locally in your browser.
How to Generate a JWT Token Online
- 1. Choose a Payload Template or write your own JSON payload with custom claims.
- 2. Optionally edit the Header — the default HS256 header works for most cases.
- 3. Enter a Secret Key for HMAC-SHA256 signing.
- 4. Click Generate JWT to produce the token. Click Copy or Decode to verify it.
Frequently Asked Questions
What is the difference between JWT Generator and JWT Decoder?
The JWT Generator creates new tokens by encoding a header and payload and signing them with a secret key. The JWT Decoder takes an existing token and extracts its header and payload without needing the secret.
Why only HS256?
HS256 (HMAC-SHA256) is the only symmetric algorithm that can be fully implemented in the browser using Web Crypto API without requiring key pair generation. RSA and EC algorithms require private key management that is better handled server-side.
What should I use as a secret key?
For testing, any string works. In production, use a cryptographically random key of at least 256 bits (32 bytes). Never hardcode secrets in client-side code or commit them to version control.
Is the generated JWT valid?
Yes, the generated JWT is a standards-compliant token signed with HMAC-SHA256. You can verify it using any JWT library (jsonwebtoken for Node.js, PyJWT for Python, etc.) with the same secret key.