JWT Generator (HS256, HS384, HS512)
Create signed JSON Web Tokens with HMAC-SHA algorithms. Set custom claims, expiration, and secret — everything runs locally in your browser.
Last updated:
Recommended: 32+ random bytes for HS256, 48+ for HS384, 64+ for HS512.
Security: the secret is processed locally in your browser via the Web Crypto API. Never paste production secrets into online tools you don’t fully trust — including this one.
Set your header, payload claims, algorithm, and secret above to generate a signed JWT (HS256/384/512). Signing uses the Web Crypto API in your browser — the secret never leaves your device.
What is JWT Generator?
A JWT (JSON Web Token) is a compact, URL-safe token that carries signed claims between parties. This generator builds and signs tokens with HMAC-SHA algorithms (HS256, HS384, HS512): you provide the claims and a shared secret, and it produces the three dot-separated Base64URL segments — header, payload, and signature. It's ideal for creating test tokens for local development, API testing, and learning how JWTs are structured.
How to generate a signed JWT
- 1Choose an algorithm (HS256 is the common default).
- 2Edit the payload to include your claims — sub, exp, iat, and any custom fields.
- 3Enter your signing secret (a shared string for HMAC algorithms).
- 4Copy the generated token and use it as a Bearer token in Authorization headers.
Use Cases
Create test tokens for local dev
Generate a valid signed token to test protected endpoints without spinning up your full auth server.
Reproduce auth bugs
Craft a token with specific claims or an expired exp to reproduce and debug authorization edge cases.
Learn JWT structure
See exactly how header, payload, and signature combine — great for understanding the format hands-on.
Code Examples
Payload claims
{
"sub": "1234567890",
"name": "Ada",
"iat": 1516239022,
"exp": 1516242622
}Token shape
header.payload.signature
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.SIGNATUREKey Concepts
- Registered claims
- Standard fields: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued-at), nbf (not-before). Use them for interoperability.
- HMAC vs RSA/ECDSA
- HS256/384/512 use one shared secret for both signing and verification. RS256/ES256 use a private/public key pair — better when many parties must verify but not sign.
- exp (expiration)
- A Unix timestamp after which the token is invalid. Always set a short exp for access tokens to limit blast radius if leaked.
Tips & Best Practices
- ▸Use secrets of at least 32 bytes for HS256, 48 for HS384, and 64 for HS512 — shorter secrets weaken the signature.
- ▸Never put sensitive data in the payload: it's Base64URL-encoded, not encrypted, and anyone can read it.
- ▸Always set exp. Tokens without expiry are a common security finding.
- ▸Generate test tokens only with throwaway secrets — never paste production signing keys into any web tool.
Frequently Asked Questions
Is my secret sent to any server?
No. All signing happens in your browser using the Web Crypto API. Neither the header, payload, nor secret leaves your device.
Why is RS256 (asymmetric) not supported?
RS256/ES256 require a private key which is a much heavier trust decision to paste into a web UI. This tool focuses on HMAC-based algorithms (HS256/384/512) that only need a shared secret.
How should I choose the secret?
Use at least 32 random bytes for HS256, 48 bytes for HS384, and 64 bytes for HS512. Anything shorter than the digest size weakens the security guarantee.
Related Tools
JWT Decoder
Decode JSON Web Tokens (JWT) to inspect the header, payload, and signature. Runs entirely in your browser — tokens are never sent to any server.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes of any text online. All hashing happens in your browser using the Web Crypto API.
HMAC Generator
Compute HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512. Used to verify API requests, sign webhooks, and authenticate messages.
JSON Formatter
Format, beautify, and validate JSON online. Free, fast, and 100% local — your data never leaves your browser.
JSON Validator
Validate JSON online with instant error location and structure statistics (depth, keys, node types). 100% local — your JSON never leaves the browser.
JSON → TypeScript
Convert JSON to TypeScript interfaces instantly. Generate strongly-typed TS types from any JSON sample.