JWT Generator / Signer

Generate and sign JWT tokens using HS256, HS384, or HS512 directly in your browser. Edit header and payload JSON, set your secret, and copy the signed token — no data sent to servers.

100% Client-Side Your data never leaves your browser Free · No Sign-Up
Algorithm

All processing is done locally in your browser.

Related Tools

JWT Decoder Decode and inspect JWT header, payload, and signature. Highlights expiry status and timestamp claims. HTTP Status Codes Searchable reference for all HTTP status codes (1xx–5xx) with descriptions and use cases. HMAC Generator Generate HMAC signatures using SHA-256, SHA-384, or SHA-512. Hex and Base64 output. Runs entirely in your browser. cURL to Code Converter Convert cURL commands to Python, JavaScript, Go, PHP, and Node.js code instantly. TOTP Generator Generate RFC 6238 TOTP codes with live countdown. Configurable algorithm, digits, and period. Includes QR code. JSON Schema Validator Validate JSON data against a JSON Schema online. Supports Draft-07 and Draft 2020-12. Shows error paths and detailed messages. 100% client-side.

How to Use

  1. Select the signing algorithm (HS256, HS384, or HS512).
  2. Edit the Header JSON if needed — the alg field syncs automatically.
  3. Edit the Payload JSON with your claims.
  4. Enter your secret (UTF-8 or Base64 format).
  5. Copy the generated token from the result box.

Common Use Cases

  • Local development: Quickly generate tokens for testing API endpoints or auth flows without running a backend.
  • Debugging: Inspect how header and payload JSON is encoded into a JWT.
  • Documentation: Generate example tokens for API docs or README files.
  • Learning: Understand how JWTs are structured and signed.

FAQ

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and type), a payload (claims), and a signature. JWTs are commonly used for authentication and information exchange.

Is my secret key sent to any server?

No. All signing is performed using the browser's built-in Web Crypto API (SubtleCrypto). Your header, payload, and secret never leave your browser.

Which algorithm should I choose?

HS256 (HMAC-SHA256) is the most widely used algorithm and is suitable for most use cases. HS384 and HS512 use larger hash outputs and are appropriate when extra security margin is required. All three are symmetric algorithms — the same secret is used to both sign and verify.

What does 'Secret is empty — token will be unsigned' mean?

If the secret field is left blank, the tool generates a token with an empty signature part. The resulting token is technically invalid for verification but can still be useful for inspecting the encoded header and payload structure.

Can I verify the token generated here on jwt.io?

Yes. Copy the generated token and paste it into jwt.io. Enter the same secret and select the matching algorithm to verify the signature.

What is the Base64 secret format option?

Some services provide secrets pre-encoded in Base64 (or Base64URL). Select the Base64 option when your secret is already in that form — the tool will decode it before signing, producing the correct signature.