JWT Generator

Generate JSON Web Tokens with multiple algorithm support and custom claims

Choose the signing algorithm. HMAC algorithms use a secret key, RSA algorithms use a private key.

Secret key for HMAC algorithms (HS256, HS384, HS512)

Enter your JWT payload as valid JSON

Standard Claims (Optional)

Time until token expires (e.g., 3600 = 1 hour)

Time before token becomes valid

What is JWT Generation?

JSON Web Tokens (JWT) are a secure way to transmit information between parties as a JSON object. This tool allows you to create JWTs with custom payloads and standard claims, signed with either HMAC (symmetric) or RSA (asymmetric) algorithms.

How to Use

  1. Select your signing algorithm (HS256, HS384, HS512, RS256, RS384, or RS512)
  2. Enter your secret key (for HMAC) or private key (for RSA)
  3. Add your custom payload as valid JSON
  4. Optionally configure standard claims (issuer, audience, expiration, etc.)
  5. Click "Generate JWT" to create your token
  6. Copy the generated token for use in your application

Example

Payload:

{
  "userId": "123",
  "email": "user@example.com",
  "role": "admin"
}

Configuration:

  • Algorithm: HS256
  • Secret: your-secret-key
  • Issuer: https://example.com
  • Expires In: 3600 seconds (1 hour)

Generated JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjMiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJyb2xlIjoiYWRtaW4iLCJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.signature

Understanding JWT Algorithms

  • HS256/HS384/HS512: HMAC algorithms using a shared secret key. Faster and simpler, but both parties need the same secret.
  • RS256/RS384/RS512: RSA algorithms using public/private key pairs. More secure for distributed systems where you can't share secrets.

Standard JWT Claims

  • iss (Issuer): Who created and signed the token
  • sub (Subject): Who the token is about (usually user ID)
  • aud (Audience): Who the token is intended for
  • exp (Expiration): When the token expires (Unix timestamp)
  • nbf (Not Before): When the token becomes valid (Unix timestamp)
  • iat (Issued At): When the token was created (automatically added)

Security Best Practices

  • Never expose your secret keys or private keys in client-side code
  • Always generate JWTs on your secure backend server in production
  • Use strong, randomly generated secrets (at least 256 bits for HS256)
  • Set appropriate expiration times - shorter is more secure
  • Use RS256 for public APIs where you can't share secrets
  • Validate all JWTs on your server before trusting the data

Privacy Notice

All JWT generation happens entirely in your browser. Your secrets, keys, and payload data are never transmitted to any server. However, remember that this tool is for testing and development only - never use production secrets in browser-based tools.

Related Tools

JWT Decoder

Decode JWT tokens locally in your browser

security
Coming Soon

JWT Signature Verifier

Verify JWT token signatures with key validation and expiration checking

api-tools

HMAC Generator

Generate HMAC signatures using SHA-256, SHA-384, and SHA-512 algorithms

security
Coming Soon

Base64URL Encode/Decode

Encode and decode Base64URL format for URL-safe data transmission

encoding