DevToolbox

JWT Generator

Generate signed JSON Web Tokens with custom payloads and HMAC signing. Configure claims, set expiration, and copy the signed JWT.

About This Tool

The JWT Generator creates signed JSON Web Tokens directly in your browser. JWTs are the industry-standard method for securely transmitting claims between parties in web applications. They are defined in <a href="https://datatracker.ietf.org/doc/html/rfc7519" className="text-primary underline underline-offset-2" target="_blank" rel="noopener noreferrer"

RFC 7519 and consist of three Base64url-encoded parts separated by dots: a header specifying the algorithm and token type, a payload containing the claims, and a signature that verifies the token has not been tampered with.

This tool supports HMAC-based signing using HS256, HS384, and HS512 algorithms via the Web Crypto API. HMAC (Hash-based Message Authentication Code) uses a shared secret key to produce the signature. The secret is combined with the encoded header and payload to generate a cryptographic hash that serves as proof of authenticity. When the recipient receives the token, they can recompute the signature using the same secret to verify the token's integrity.

Common use cases include generating tokens for API authentication during development, creating test JWTs for integration testing, prototyping OAuth 2.0 flows, and building demo payloads for documentation. The form mode provides guided inputs for standard registered claims like iss, sub, aud, exp, iat, and jti, along with support for arbitrary custom claims. The JSON mode gives you full control over the payload structure for advanced scenarios.

This tool is the complement to our <a href={getLocalePath(locale, "/tools/jwt-decoder")} className="text-primary underline underline-offset-2"

JWT Decoder , which lets you inspect and verify existing tokens. Together they provide a complete JWT workflow for developers.

How to Use

  1. Select the signing algorithm (HS256, HS384, or HS512) from the header section.
  2. Choose between Form mode for guided claim input or JSON mode for raw payload editing.
  3. In form mode, fill in registered claims like issuer, subject, and audience. Use the expiration dropdown to set relative expiry times (e.g., 1 hour, 7 days) or choose an absolute date.
  4. Check the iat box to auto-set the issued-at timestamp to now. Use the jti field with the Generate UUID button for unique token IDs.
  5. Add any custom claims using the "Add Claim" button. Values are auto-typed: numbers, booleans, and JSON objects are parsed automatically.
  6. Enter your HMAC secret key. Toggle visibility with the eye icon.
  7. Click Generate JWT or press Ctrl+Enter. The signed token appears on the right with color-coded parts and a decoded preview.

FAQ

Is this tool secure? Does my secret leave the browser?

Yes, this tool is completely client-side. Your secret key, payload data, and the generated JWT never leave your browser. All signing is performed locally using the Web Crypto API built into your browser. No data is sent to any server, stored, or logged.

What is the difference between HS256, HS384, and HS512?

All three are HMAC algorithms that use a shared secret key. They differ in the underlying SHA hash function: HS256 uses SHA-256 (256-bit), HS384 uses SHA-384 (384-bit), and HS512 uses SHA-512 (512-bit). Longer hashes provide more bits of security but produce slightly longer signatures. HS256 is the most commonly used and is suitable for most applications.

Can I generate RSA or ECDSA signed JWTs?

This tool currently supports only HMAC (symmetric) signing. RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) require public/private key pairs, which adds complexity. HMAC signing covers the majority of development and testing use cases.

What are registered claims?

Registered claims are predefined in the JWT specification (RFC 7519) and have specific meanings: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). While none are mandatory, using them ensures interoperability with JWT libraries and frameworks.

Should I use the generated JWTs in production?

This tool is designed for development, testing, and learning. In production, JWTs should be generated by your authentication server using securely managed keys. The tokens created here are cryptographically valid, but production systems require proper key management, rotation policies, and infrastructure that a browser-based tool cannot provide.

How do I verify the generated JWT?

Copy the generated JWT and paste it into our JWT Decoder. Enter the same secret key you used to sign it and click Verify. You can also verify it programmatically using any JWT library (e.g., jsonwebtoken for Node.js, PyJWT for Python, or golang-jwt for Go).

What format should custom claim values use?

Custom claim values are auto-typed. Numbers (e.g. 42), booleans (true/false), null, and valid JSON objects or arrays are parsed into their native types. Everything else is treated as a string. If you need full control, switch to JSON mode where you write the payload directly.

Related Tools

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and verify signatures.

Password Generator

Generate secure passwords and passphrases with entropy-based strength analysis.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.

JSON Formatter

Format, validate, and beautify JSON with syntax highlighting and tree view.

RSA Key Pair Generator

Generate RSA key pairs (2048/3072/4096-bit) in PEM format using the Web Crypto API. Entirely in-browser.