Search tools

Find a tool by name or what it does.

JWT Generator (Signer)

Build and sign a JSON Web Token from a header, payload, and secret, right in your browser.

Secret encoding

The shared key, read as UTF-8 text. Everything runs in your browser. Nothing is uploaded.

Algorithm

Only HMAC signing is available. RS256, ES256, and other algorithms that need a private key are not supported here.

Claims

How to generate and sign a JWT online

  1. Set the header and payload

    Enter the token header and payload as JSON. Both parts are encoded the moment they are valid, with no button to press.

  2. Choose the algorithm and secret

    Pick HS256, HS384, or HS512 and enter the shared secret, as UTF-8 text or as a Base64 string, that the signature is built from.

  3. Add standard claims

    Optionally switch on issued-at and expiration so the iat and exp fields are filled from the current time with the time-to-live you choose.

  4. Copy the signed token

    The compact three-part token appears alongside its decoded header and payload. Copy it with one click.

Why use this tool

Live signing as you type

The header and payload are encoded and the signature is rebuilt the instant any input changes, so the token always matches what you see.

HS256, HS384, and HS512

Sign with any of the three HMAC algorithms using a shared secret. The secret can be plain UTF-8 text or a Base64 string.

Claim helpers

Switch on issued-at (iat) and expiration (exp) and the fields are filled from the current time with a time-to-live you set in minutes, hours, or days.

Decoded preview

Each token is shown decoded into its header and payload JSON, with iat, nbf, and exp echoed as readable local dates so you can confirm the claims before copying.

Symmetric signing, clearly flagged

Only HMAC signing is offered. Algorithms that need a private key, like RS256 or ES256, are out of scope, and the tool says so rather than hiding it.

Runs entirely in your browser

Everything happens on your device. The header, payload, and secret are never uploaded, stored, or logged anywhere.

About this tool

This JWT generator builds and signs a JSON Web Token entirely in your browser. You supply the header and payload as JSON, choose an HMAC algorithm, and enter a secret. The two parts are Base64URL-encoded, joined with a dot, and signed to produce the third segment, giving you a compact three-part token you can drop straight into an Authorization header or a test request.

Signing uses the HS256, HS384, and HS512 algorithms, all of which rely on a single shared secret. The secret is read as UTF-8 text by default, or as Base64 when your key is stored that way. Optional claim helpers set the issued-at (iat) and expiration (exp) fields from the current time, with a time-to-live you choose in minutes, hours, or days, so you can mint a token that expires exactly when you need. The decoded header and payload are shown next to the token so you can confirm every claim before copying.

Only symmetric HMAC signing is available here, because it needs nothing more than a secret both sides already share. Algorithms such as RS256 or ES256 sign with a private key and are intentionally out of scope. To read an existing token instead, use the JWT decoder; to work with arbitrary Base64 strings, the Base64 encoder handles those, and the hash generator covers standalone digests. Because a token often carries live credentials, nothing you type is uploaded, but treat every secret and token as sensitive.

Frequently asked questions

What does this JWT generator do?
It builds a JSON Web Token from a header and payload you provide, then signs it with a shared secret. The header and payload are Base64URL-encoded, joined with a dot, and a signature over that string is appended as the third segment, producing a compact token ready to use.
Which algorithms are supported?
The HMAC algorithms HS256, HS384, and HS512. These are symmetric, meaning the same secret both creates and verifies the signature. Asymmetric algorithms such as RS256 and ES256 need a private key and are not supported here.
What is the secret, and can I use a Base64 key?
The secret is the shared key the signature is derived from. By default it is read as plain UTF-8 text, so you can type any passphrase. If your key is stored as Base64, switch the secret encoding to Base64 and it is decoded to raw bytes before signing.
How do the iat and exp helpers work?
When you switch on issued-at, the iat claim is set to the current time. When you switch on expiration, the exp claim is set to the current time plus the time-to-live you pick in minutes, hours, or days. Both are shown as readable local dates in the decoded payload, and the Regenerate button refreshes them to the current moment.
Can I generate an RS256 or ES256 token?
No. RS256, ES256, and similar algorithms sign with a private key rather than a shared secret, so they are intentionally out of scope for this tool. Only the HMAC algorithms HS256, HS384, and HS512 are available.
Is my data uploaded anywhere?
No. Everything runs in your browser; nothing is sent to a server. Your header, payload, and secret never leave your device and are not stored or logged. Still, treat any token or secret you handle here as sensitive.

Related tools