Base64EncoderDecoder.com

JWT Encoder & Token Generator

Build and sign a JSON Web Token from your claims using HMAC SHA-256, SHA-384, or SHA-512 — entirely in your browser.

RS256 / ES256 require an asymmetric private key and are not supported in this browser tool.

Used as the HMAC key. For HS256 use at least 32 bytes of entropy. Never reuse a production secret in a public tool.

Tokens are generated locally with the Web Crypto API. Your payload and secret never leave your browser.

Local signing

Signing happens in your browser with the Web Crypto API. Your secret and payload are never transmitted.

Instant output

Generate a complete header.payload.signature JWT in a single click — ready to paste into Authorization headers.

HS256 / HS384 / HS512

Choose the HMAC variant that matches your backend. All three are produced from the same secret with native crypto.

How to generate a JWT

A signed JSON Web Token is built in three steps: base64url-encode a JSON header that declares the signing algorithm, base64url-encode a JSON payload containing your claims, and append an HMAC or RSA signature computed over header.payload. This tool performs all three steps locally for the HMAC family (HS256, HS384, HS512) so you can produce a real, verifiable token without writing any code.

Standard claims worth knowing

  • iss — the issuer that created the token
  • sub — the subject (typically a user id)
  • aud — the intended audience (API or service)
  • exp — expiration time as Unix seconds
  • nbf — not-before time (the token is invalid before this moment)
  • iat — when the token was issued
  • jti — a unique identifier used to revoke or deduplicate tokens

Security checklist

  • Use a high-entropy secret (32+ bytes for HS256). Never use a dictionary word.
  • Always include an exp claim — tokens without expiration are extremely hard to revoke.
  • Validate iss and aud on the server, not just the signature.
  • Treat any token containing real user data as a credential and transmit it only over HTTPS.
  • Never paste production secrets into third-party tools — generate test tokens with a throwaway secret.

Frequently asked questions

What does this JWT encoder do?

It builds and signs a JSON Web Token from a JSON payload you supply. Pick an HMAC algorithm (HS256, HS384, or HS512), enter a secret, and the tool produces a complete header.payload.signature token you can paste into an Authorization header or test against your backend.

Which signing algorithms are supported?

This tool supports HS256, HS384, and HS512 — all HMAC-based symmetric algorithms that use a shared secret. Asymmetric algorithms like RS256, RS384, ES256, and EdDSA require a private key file and are intentionally not supported here to avoid handling private keys in the browser.

Is my secret sent to a server?

No. Signing is done locally with the browser's built-in Web Crypto API (crypto.subtle). Your payload, secret, and the resulting token never leave your device — there are no network requests, no logging, and no storage.

What should I put in the payload?

A JSON object containing your claims. Common standard claims are sub (subject / user id), iss (issuer), aud (audience), exp (expiration as Unix seconds), nbf (not before), and iat (issued at). You can also include any custom claims your application needs, such as role, scope, or tenant_id.

How do I set an expiration time?

Add an exp claim with a Unix timestamp in seconds. For example, to expire in one hour from now use Math.floor(Date.now()/1000) + 3600. The sample payload in this tool includes a working iat and exp pair you can copy and adjust.

How strong should my HMAC secret be?

RFC 7518 recommends a key of at least the same length as the hash output: 256 bits (32 bytes) for HS256, 384 bits for HS384, and 512 bits for HS512. Use a cryptographically random secret — never a dictionary word or a short string — and store it as an environment variable on your server.

Can I use this token in production?

You can, but the security of the token depends entirely on the secret you used to sign it. Anyone who has the secret can forge tokens with arbitrary claims, so never paste a real production secret into any third-party tool — including this one. For production use, generate and sign tokens on your server with a secret stored in a secrets manager.

Why is the header always {"alg":"...","typ":"JWT"}?

That is the standard minimal header for a signed JWT. The alg field tells verifiers which algorithm to use, and typ identifies the token as a JWT (this is informational only). This tool fixes the header so the output is interoperable with every JWT library — you only need to control the claims.

How can I verify a token I generated here?

Use the JWT Decoder on this site to inspect the header and payload, then use any JWT library on your server (jsonwebtoken for Node.js, PyJWT for Python, jose for many languages) with the same secret and algorithm to verify the signature. If verification passes, the token is intact and was signed with the secret you supplied.

More free developer tools

Part of our growing tool belt — all client-side, all free.

Regex Generator

Build regular expressions visually with blocks, quantifiers, presets, and live match preview — all in your browser.

Open tool

Regex Tester & Debugger

Test regular expressions with real-time match highlighting, capture groups, and replacement preview — all in your browser.

Open tool

Diff Checker & Text Compare

Compare two texts side by side or unified — spot every addition, deletion, and change instantly and privately.

Open tool