JWT Generator
Generate signed JWT tokens using HMAC with the Web Crypto API.
For testing purposes only. Never use client-side generated JWTs for production authentication.
Generate and decode JSON Web Tokens online: free JWT builder with HS256 support
JSON Web Tokens are the standard authentication mechanism for modern web APIs, single-page applications, and microservice architectures. Building and inspecting them manually is tedious: this tool does it instantly in your browser so you can focus on integration rather than Base64 encoding and HMAC hashing.
You can construct tokens with any combination of standard and custom claims, choose your HMAC algorithm, set an expiry, and sign with your secret key. The decoded view shows each section of the token separately so you can inspect the header, payload, and signature at a glance. All processing is local: your secret never touches a server.
Step-by-step guide
- 1Choose your algorithm
Select the HMAC signing algorithm: HS256 (most common), HS384, or HS512 depending on your security requirements. - 2Enter your secret key
Type or paste the secret key that will be used to sign the JWT. Keep this private: anyone with the secret can forge tokens. - 3Build the payload
Add claims to the payload: standard claims like sub, iss, aud, and exp, or any custom claims your application needs. - 4Set an expiry
Specify the token expiration time using the exp claim. This limits how long the token is valid after it is issued. - 5Copy and use the token
Click Copy to grab the generated JWT string and use it in your application, API request, or test suite.
Related Tools
CSV → JSON
Convert comma-separated data to JSON arrays with automatic header detection.
JSON → CSV
Convert JSON arrays of objects to CSV with automatic column extraction.
JSON → XML
Serialize JSON objects to well-formed XML with configurable root element.
XML → JSON
Parse XML documents to JSON with attribute and text node preservation.
Frequently Asked Questions
- What is a JSON Web Token (JWT)?
- A JWT is a compact, URL-safe token format used to securely transmit claims between parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims), and a signature.
- What is the difference between HS256, HS384, and HS512?
- All three are HMAC-based symmetric signing algorithms. The number indicates the SHA hash size in bits: HS256 uses SHA-256, HS384 uses SHA-384, and HS512 uses SHA-512. Larger hash sizes provide marginally more security at a slight performance cost.
- Is this tool safe to use with production secrets?
- This tool runs entirely in your browser with no server communication. However, we recommend using test or development secrets in any online tool. Never share your production signing secret with third-party services.
- What standard claims can I include in a JWT?
- Common registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Your application can also define custom private claims.
- What does the signature verify?
- The signature ensures that the header and payload have not been tampered with. Any modification to the token body will invalidate the signature when it is verified against the original secret.
- Can I decode a JWT without the secret?
- Yes. The header and payload of a JWT are only Base64URL-encoded, not encrypted, so anyone can decode and read them. Verifying the signature requires the secret key.
- Does this tool store my secret or tokens?
- No. Everything runs in your browser and nothing is sent to a server or retained after you close the page.
- Is this tool free?
- Yes, completely free with no account, no sign-up, and no usage limits.
- What is the exp claim format?
- The exp claim is a Unix timestamp (seconds since 1 January 1970 UTC) indicating when the token expires. Most JWT libraries accept relative shorthand like 1h or 7d when creating tokens programmatically.
AlteredIdea vs alternatives
vs server-side converters: AlteredIdea converts in your browser: your data never leaves your device.
vs writing scripts: Instant results, no coding needed.
vs paid tools: Completely free, no account required.