🔐 JWT Generator
Create and sign JSON Web Tokens with HS256, HS384 or HS512 — edit the payload, add claims with one tap, and copy a ready-to-use token. Signed in your browser, instant & 100% private.
🧾 Decoded claims
subregisterednameroleiatregisteredexpregistered🔒 Everything runs in your browser with the Web Crypto API — your secret and claims never leave your device. Use real secrets only on trusted machines.
A JWT Generator That Actually Signs
Real HMAC signatures, a live claims editor, and the stats to understand exactly what you're shipping.
Real Signing
Tokens are signed with the Web Crypto API using HMAC — a server with the same secret will verify them as authentic.
Live & Instant
The token rebuilds the moment you change the algorithm, secret or any claim — no submit button, no waiting.
One-Click Claims
Add iat, nbf, a random jti, or an expiry (+15m to +1y) with a tap — no need to remember Unix timestamps.
Secret-Strength Check
We compare your secret length against the algorithm's minimum and warn you when it's too short to be secure.
Stats & Insights
See token size, per-segment composition, claim count and a live expiry status — not just the raw string.
Private & Free
100% in your browser — your secret never leaves your device. No login, no limits, dark mode, responsive to 280px.
How to Generate a JWT
Four steps — the token signs itself as you go.
Pick algorithm & secret
Choose HS256, HS384 or HS512 and enter (or randomly generate) a signing secret of adequate length.
Edit the payload
Write your claims as JSON, or use the quick-add chips for iat, nbf, exp presets and a random jti.
Grab the signed token
The colour-coded JWT appears right below the editor. Tap 'Copy token' to use it in your app or API call.
Check the details
Review the expiry status, size composition and decoded claims to confirm the token is exactly what you expect.
Frequently Asked Questions
What it does, signing vs encoding, choosing an algorithm, secret length, registered claims and privacy.
What does this JWT generator do?
It builds a complete, signed JSON Web Token from your inputs: it base64url-encodes a header and your payload, then signs them with your secret using HMAC (HS256, HS384 or HS512). The result is a ready-to-use token in the standard header.payload.signature format that any JWT library can verify with the same secret.
How do I use it?
Pick an algorithm, enter a signing secret, and edit the payload JSON. Use the quick-add chips to insert standard claims like iat (issued-at), exp (expiry) or a random jti. The signed token appears instantly below the editor — tap 'Copy token' to grab it. Everything updates live as you type.
Is the token actually signed, or just encoded?
It is genuinely signed. The signature is computed with the Web Crypto API using your secret key, so a server holding the same secret will verify it as authentic. This is different from a decoder, which only reads a token — here the signature is real cryptography, not just base64.
Which algorithm should I choose — HS256, HS384 or HS512?
HS256 is the most common and is fine for most applications. HS384 and HS512 use larger hashes and need longer secrets, offering more margin at a tiny size cost. The number is the SHA hash size in bits; your secret should be at least that long, which the tool checks for you.
How long should my JWT secret be?
For HS256 use a secret of at least 256 bits (32 bytes); HS384 and HS512 want 384 and 512 bits respectively. A short, guessable secret is the number-one cause of forged tokens. Use the 🎲 Random button to generate a strong 256-bit secret, and never reuse a secret across environments.
What are registered claims like iss, sub, exp and iat?
These are standard fields defined by the JWT spec (RFC 7519). iss is the issuer, sub the subject (often a user ID), aud the audience, exp the expiry time, nbf the not-before time, iat the issued-at time, and jti a unique token ID. They're optional but widely supported — the decoded view explains each one you add.
Is it safe to paste my real secret here?
Yes — the token is signed entirely in your browser using the Web Crypto API, and your secret and claims are never sent anywhere or stored. That said, only enter production secrets on a device and network you trust, as with any sensitive value.
Is JWT encryption? Can I hide data in the payload?
No. A JWT's payload is only base64url-encoded, so anyone can read it — the signature proves it hasn't been tampered with, but it doesn't hide anything. Never put passwords or secrets in a JWT payload. If you need confidentiality, encrypt the data separately or use JWE.