JWT Generator
Runs in browserCreate and sign JWT tokens locally with HS256 in the browser.
Generate and sign JSON Web Tokens (JWT) with custom payload and secret. HS256 supported. Runs entirely in your browser.
JWT Generator tool
A JWT has three parts: header.payload.signature. With HS256, the signature is an HMAC over Base64URL(header) + "." + Base64URL(payload) using your secret. Everything runs locally in your browser.
{
"alg": "HS256",
"typ": "JWT"
}Tip: Leave secret empty to preview header + payload encoding without a signature. For testing, set a secret and paste the output into JWT Decoder to verify the signature.
🔒 Runs in your browser · No uploads · Your data never leaves your device
How to use
Start from a preset
Pick a basic, auth, or complex preset to see realistic JWT payloads and common claims.
Edit payload JSON
Paste or modify the JWT payload. It must be a JSON object (not an array).
Add time-based claims
Optionally add `iat`, `nbf`, and `exp` as Unix timestamps to simulate real authentication tokens.
Enter a secret
Provide a secret to sign using HS256. Leaving it blank shows the unsigned `header.payload.` structure.
Copy and verify
Copy the generated JWT and open JWT Decoder to inspect header/payload and verify the signature with your secret.
Common use cases
- Generating test tokens for API development — Create JWTs with custom claims to test protected API endpoints during development without running an auth server.
- Learning JWT structure — Experiment with different algorithms and payloads to understand how JWT signing and verification works.
- Prototyping authentication flows — Generate tokens with specific roles or scopes to prototype role-based access control before integrating a real auth provider.
Examples
Basic payload
A minimal token with a subject and name.
Input{ "sub": "123", "name": "Alice" }Outputheader.payload.signatureAuth token with expiry
A realistic auth token with issuer, audience, roles, and expiration.
Input{ "iss": "https://api.example.com", "aud": "tooldock-web", "sub": "user_42", "email": "[email protected]", "roles": ["admin", "editor"], "scope": "tools:read tools:write", "iat": 1711324800, "exp": 1711328400 }Complex nested payload
Nested objects and arrays similar to production authorization data.
Input{ "iss": "auth.example.com", "aud": ["app-web", "app-mobile"], "sub": "user_123", "tenant": "acme", "features": { "beta": true, "flags": ["new-dashboard", "ai-tools"] }, "device": { "id": "device_9f2c", "platform": "ios" }, "permissions": [ { "resource": "projects", "actions": ["read", "write"] }, { "resource": "billing", "actions": ["read"] } ], "iat": 1711324800, "nbf": 1711324800, "exp": 1711332000 }
Frequently asked questions
- Is my secret sent to a server?
- No. Signing happens locally in your browser.
- Which algorithm is supported?
- HS256 (HMAC SHA-256) is supported for signing.
- How do I verify the token?
- Copy the generated JWT and open JWT Decoder. Paste the token, enter the same secret, and confirm the signature validates.
- What format should exp/iat use?
- Most JWT libraries expect `iat`, `nbf`, and `exp` as Unix timestamps (seconds since epoch).
Key concepts
- HMAC
- Hash-based Message Authentication Code — a signing method that uses a shared secret to generate and verify JWT signatures (e.g. HS256).
- Algorithm (alg)
- The signing algorithm declared in the JWT header, such as HS256 (HMAC-SHA256) or RS256 (RSA-SHA256).
- Secret key
- The private key or shared secret used to sign a JWT; required to verify token authenticity.
Related tools
You might find these useful too.