JWT Configuration

Generated Token

JWT Output

Generate a token to see the result here.

Encoded Parts Preview

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzE2MjM5MDIyLCJleHAiOjE3MTYyNDI2MjJ9.signature

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "iat": 1716239022,
  "exp": 1716242622
}

Privacy First

Tokens are generated fully in your browser using the Web Crypto API. No header, payload, or secret key is sent to any server.

How to Use

  1. Select your signing algorithm.
  2. Enter a secret key for HMAC algorithms.
  3. Edit header and payload JSON.
  4. Click Generate JWT and copy your token.

Complete Guide to JWT Generation

What This JWT Generator Does

This tool creates JSON Web Tokens (JWTs) directly in your browser. You can customize the header and payload JSON, choose a signing algorithm, and generate production-style tokens for testing authentication and authorization flows.

Supported Algorithms

HS256

HMAC with SHA-256. Commonly used for app-level JWT signing with a shared secret.

HS384

HMAC with SHA-384. Useful when you need stronger hashing than HS256.

HS512

HMAC with SHA-512. Produces larger signatures and is often used in higher-security environments.

none

Unsigned tokens for local testing only. Never use in production authentication flows.

Common JWT Claims You Can Add

  • iss: Issuer identifier (who created the token)
  • sub: Subject identifier (usually user ID)
  • aud: Intended audience (API, service, app)
  • exp: Expiration timestamp (Unix seconds)
  • iat: Issued-at timestamp
  • nbf: Not-before timestamp
  • jti: Unique token ID for replay protection

Best Practices for JWT Creation

  • Use strong, high-entropy secrets for HMAC signing.
  • Keep token lifetimes short (for example, 15 minutes).
  • Avoid placing sensitive data in payload claims.
  • Always validate signature, issuer, audience, and expiry on the server.
  • Use HTTPS for all token transmission.

Privacy and Local Processing

All token generation happens in your browser using the Web Crypto API. Your header, payload, and secret key are never sent to our servers.

Understand JWT Before You Generate

Need a quick primer first? This guide explains what JWT is, how token parts work, and which security pitfalls to avoid.

Read: What is JWT?

Related Security Tools

JWT Decoder

Inspect generated tokens and verify claims instantly.

Password Generator

Create strong secrets for signing JWTs.

#

Hash Generator

Generate hashes to test and compare integrity workflows.