JWT Generator

Generate signed JWT tokens using HMAC with the Web Crypto API.

For testing purposes only. Never use client-side generated JWTs for production authentication.

Fill in the fields and click Generate JWT

Generate and decode JSON Web Tokens online: free JWT builder with HS256 support

JSON Web Tokens are the standard authentication mechanism for modern web APIs, single-page applications, and microservice architectures. Building and inspecting them manually is tedious: this tool does it instantly in your browser so you can focus on integration rather than Base64 encoding and HMAC hashing.

You can construct tokens with any combination of standard and custom claims, choose your HMAC algorithm, set an expiry, and sign with your secret key. The decoded view shows each section of the token separately so you can inspect the header, payload, and signature at a glance. All processing is local: your secret never touches a server.

Step-by-step guide

  1. 1
    Choose your algorithm
    Select the HMAC signing algorithm: HS256 (most common), HS384, or HS512 depending on your security requirements.
  2. 2
    Enter your secret key
    Type or paste the secret key that will be used to sign the JWT. Keep this private: anyone with the secret can forge tokens.
  3. 3
    Build the payload
    Add claims to the payload: standard claims like sub, iss, aud, and exp, or any custom claims your application needs.
  4. 4
    Set an expiry
    Specify the token expiration time using the exp claim. This limits how long the token is valid after it is issued.
  5. 5
    Copy and use the token
    Click Copy to grab the generated JWT string and use it in your application, API request, or test suite.

Related Tools

Frequently Asked Questions

What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token format used to securely transmit claims between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims), and a signature.
What is the difference between HS256, HS384, and HS512?
All three are HMAC-based symmetric signing algorithms. The number indicates the SHA hash size in bits: HS256 uses SHA-256, HS384 uses SHA-384, and HS512 uses SHA-512. Larger hash sizes provide marginally more security at a slight performance cost.
Is this tool safe to use with production secrets?
This tool runs entirely in your browser with no server communication. However, we recommend using test or development secrets in any online tool. Never share your production signing secret with third-party services.
What standard claims can I include in a JWT?
Common registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Your application can also define custom private claims.
What does the signature verify?
The signature ensures that the header and payload have not been tampered with. Any modification to the token body will invalidate the signature when it is verified against the original secret.
Can I decode a JWT without the secret?
Yes. The header and payload of a JWT are only Base64URL-encoded, not encrypted, so anyone can decode and read them. Verifying the signature requires the secret key.
Does this tool store my secret or tokens?
No. Everything runs in your browser and nothing is sent to a server or retained after you close the page.
Is this tool free?
Yes, completely free with no account, no sign-up, and no usage limits.
What is the exp claim format?
The exp claim is a Unix timestamp (seconds since 1 January 1970 UTC) indicating when the token expires. Most JWT libraries accept relative shorthand like 1h or 7d when creating tokens programmatically.

AlteredIdea vs alternatives

vs server-side converters: AlteredIdea converts in your browser: your data never leaves your device.

vs writing scripts: Instant results, no coding needed.

vs paid tools: Completely free, no account required.