Is my secret sent to a server?

No. Signing happens locally in your browser.

Which algorithm is supported?

HS256 (HMAC SHA-256) is supported for signing.

How do I verify the token?

Copy the generated JWT and open JWT Decoder. Paste the token, enter the same secret, and confirm the signature validates.

What format should exp/iat use?

Most JWT libraries expect `iat`, `nbf`, and `exp` as Unix timestamps (seconds since epoch).

New

JWT Generator

Runs in browser

Generate and sign JSON Web Tokens (JWT) with custom payload and secret. HS256 supported. Runs entirely in your browser.

A JWT has three parts: header.payload.signature. With HS256, the signature is an HMAC over Base64URL(header) + "." + Base64URL(payload) using your secret. Everything runs locally in your browser.

Presets

Header (read-only)

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (JSON)

Secret (HS256)

Tip: Leave secret empty to preview header + payload encoding without a signature. For testing, set a secret and paste the output into JWT Decoder to verify the signature.

Generated JWT

Want to inspect a token? Open JWT Decoder.

How to use

Start from a preset
Pick a basic, auth, or complex preset to see realistic JWT payloads and common claims.
Edit payload JSON
Paste or modify the JWT payload. It must be a JSON object (not an array).
Add time-based claims
Optionally add `iat`, `nbf`, and `exp` as Unix timestamps to simulate real authentication tokens.
Enter a secret
Provide a secret to sign using HS256. Leaving it blank shows the unsigned `header.payload.` structure.
Copy and verify
Copy the generated JWT and open JWT Decoder to inspect header/payload and verify the signature with your secret.

Examples

Basic payload
A minimal token with a subject and name.
Input
```
{
  "sub": "123",
  "name": "Alice"
}
```
Output
```
header.payload.signature
```

Auth token with expiry

A realistic auth token with issuer, audience, roles, and expiration.

Input

{
  "iss": "https://api.example.com",
  "aud": "tooldock-web",
  "sub": "user_42",
  "email": "[email protected]",
  "roles": ["admin", "editor"],
  "scope": "tools:read tools:write",
  "iat": 1711324800,
  "exp": 1711328400
}

Complex nested payload

Nested objects and arrays similar to production authorization data.

Input

{
  "iss": "auth.example.com",
  "aud": ["app-web", "app-mobile"],
  "sub": "user_123",
  "tenant": "acme",
  "features": {
    "beta": true,
    "flags": ["new-dashboard", "ai-tools"]
  },
  "device": {
    "id": "device_9f2c",
    "platform": "ios"
  },
  "permissions": [
    { "resource": "projects", "actions": ["read", "write"] },
    { "resource": "billing", "actions": ["read"] }
  ],
  "iat": 1711324800,
  "nbf": 1711324800,
  "exp": 1711332000
}

Frequently asked questions

Is my secret sent to a server?: No. Signing happens locally in your browser.
Which algorithm is supported?: HS256 (HMAC SHA-256) is supported for signing.
How do I verify the token?: Copy the generated JWT and open JWT Decoder. Paste the token, enter the same secret, and confirm the signature validates.
What format should exp/iat use?: Most JWT libraries expect `iat`, `nbf`, and `exp` as Unix timestamps (seconds since epoch).

You might find these useful too.

JWT Generator tool

How to use

Start from a preset

Edit payload JSON

Add time-based claims

Enter a secret

Copy and verify

Examples

Basic payload

Auth token with expiry

Complex nested payload

Frequently asked questions

Related tools