JWT Generator (Signer)
Build and sign a JSON Web Token from a header, payload, and secret, right in your browser.
The shared key, read as UTF-8 text. Everything runs in your browser. Nothing is uploaded.
Only HMAC signing is available. RS256, ES256, and other algorithms that need a private key are not supported here.
How to generate and sign a JWT online
Set the header and payload
Enter the token header and payload as JSON. Both parts are encoded the moment they are valid, with no button to press.
Choose the algorithm and secret
Pick HS256, HS384, or HS512 and enter the shared secret, as UTF-8 text or as a Base64 string, that the signature is built from.
Add standard claims
Optionally switch on issued-at and expiration so the iat and exp fields are filled from the current time with the time-to-live you choose.
Copy the signed token
The compact three-part token appears alongside its decoded header and payload. Copy it with one click.
Why use this tool
Live signing as you type
The header and payload are encoded and the signature is rebuilt the instant any input changes, so the token always matches what you see.
HS256, HS384, and HS512
Sign with any of the three HMAC algorithms using a shared secret. The secret can be plain UTF-8 text or a Base64 string.
Claim helpers
Switch on issued-at (iat) and expiration (exp) and the fields are filled from the current time with a time-to-live you set in minutes, hours, or days.
Decoded preview
Each token is shown decoded into its header and payload JSON, with iat, nbf, and exp echoed as readable local dates so you can confirm the claims before copying.
Symmetric signing, clearly flagged
Only HMAC signing is offered. Algorithms that need a private key, like RS256 or ES256, are out of scope, and the tool says so rather than hiding it.
Runs entirely in your browser
Everything happens on your device. The header, payload, and secret are never uploaded, stored, or logged anywhere.
About this tool
This JWT generator builds and signs a JSON Web Token entirely in your browser. You supply the header and payload as JSON, choose an HMAC algorithm, and enter a secret. The two parts are Base64URL-encoded, joined with a dot, and signed to produce the third segment, giving you a compact three-part token you can drop straight into an Authorization header or a test request.
Signing uses the HS256, HS384, and HS512 algorithms, all of which rely on a single shared secret. The secret is read as UTF-8 text by default, or as Base64 when your key is stored that way. Optional claim helpers set the issued-at (iat) and expiration (exp) fields from the current time, with a time-to-live you choose in minutes, hours, or days, so you can mint a token that expires exactly when you need. The decoded header and payload are shown next to the token so you can confirm every claim before copying.
Only symmetric HMAC signing is available here, because it needs nothing more than a secret both sides already share. Algorithms such as RS256 or ES256 sign with a private key and are intentionally out of scope. To read an existing token instead, use the JWT decoder; to work with arbitrary Base64 strings, the Base64 encoder handles those, and the hash generator covers standalone digests. Because a token often carries live credentials, nothing you type is uploaded, but treat every secret and token as sensitive.
Frequently asked questions
- What does this JWT generator do?
- It builds a JSON Web Token from a header and payload you provide, then signs it with a shared secret. The header and payload are Base64URL-encoded, joined with a dot, and a signature over that string is appended as the third segment, producing a compact token ready to use.
- Which algorithms are supported?
- The HMAC algorithms HS256, HS384, and HS512. These are symmetric, meaning the same secret both creates and verifies the signature. Asymmetric algorithms such as RS256 and ES256 need a private key and are not supported here.
- What is the secret, and can I use a Base64 key?
- The secret is the shared key the signature is derived from. By default it is read as plain UTF-8 text, so you can type any passphrase. If your key is stored as Base64, switch the secret encoding to Base64 and it is decoded to raw bytes before signing.
- How do the iat and exp helpers work?
- When you switch on issued-at, the iat claim is set to the current time. When you switch on expiration, the exp claim is set to the current time plus the time-to-live you pick in minutes, hours, or days. Both are shown as readable local dates in the decoded payload, and the Regenerate button refreshes them to the current moment.
- Can I generate an RS256 or ES256 token?
- No. RS256, ES256, and similar algorithms sign with a private key rather than a shared secret, so they are intentionally out of scope for this tool. Only the HMAC algorithms HS256, HS384, and HS512 are available.
- Is my data uploaded anywhere?
- No. Everything runs in your browser; nothing is sent to a server. Your header, payload, and secret never leave your device and are not stored or logged. Still, treat any token or secret you handle here as sensitive.
Related tools
JWT Decoder
Decode a JSON Web Token and optionally verify its signature, right in your browser.
Base64 Encode & Decode
Encode text, files, and images to Base64, decode it back, and get a ready-to-use data URI.
Hash Generator
Hash text or any file to MD5, SHA-1, SHA-256, and SHA-512, and verify a checksum.
API Key Generator
Generate cryptographically random API keys and tokens in hex, base62, or base64url, with control over length, an optional prefix, and bulk output.
ASCII Table Reference
The full ASCII character set with decimal, hex, octal, binary, and HTML codes. Search by code, character, or name.
Atbash Cipher
Mirror the alphabet so A swaps with Z, B with Y, and so on. Atbash is its own inverse, so one field both encodes and decodes as you type.