JWT Generator (Sign HS256)

Create and sign a JSON Web Token (JWT) with HS256, HS384, or HS512 and your secret — entirely in your browser. Payload, secret, and token never leave your device.

Runs in your browser — nothing uploaded

The token is signed with HMAC and your secret using the Web Crypto API — the payload, secret, and token never leave your browser. Paste the result into the JWT Decoder to verify it. Only use real secrets on a device you trust.

Build and sign a JSON Web Token with HS256, HS384, or HS512. Enter your claims and a secret, and get a ready-to-use token — signed in your browser with the Web Crypto API, so nothing leaves your device.

Private by design — your data never leaves your device

How to use it

No account, no upload — it all happens on your device.

1
Edit the payload JSON (claims like sub, name, iat).
2
Choose the algorithm and enter your secret.
3
Click Generate token.
4
Copy the signed JWT, or verify it in the JWT Decoder.

Anatomy of a JWT

Three base64url parts joined by dots.

A JWT is header.payload.signature. The header names the algorithm, the payload holds your claims, and the signature is an HMAC of the first two parts using your secret. Changing any part invalidates the signature — that's what lets a server trust it.

Security notes

  • Not encrypted. The payload is only base64url encoded — anyone can read it. Never store secrets in it.
  • Use a strong secret. HMAC security rests on the secret; short ones are guessable. Test one with the Password Strength Checker.
  • Verify with the decoder. Round-trip your token through the JWT Decoder.

Frequently asked

Which algorithms are supported?
The HMAC family: HS256, HS384, and HS512, which sign the token with a shared secret. Asymmetric algorithms like RS256 (which need a private key) aren't offered here — this tool is for the common shared-secret case.
Is it safe to paste my real secret?
The signing happens entirely in your browser via the Web Crypto API — the payload, secret, and token are never sent anywhere. That said, only enter a production secret on a device and network you trust, and prefer a throwaway secret for casual testing.
How do I check the token is correct?
Paste it into the JWT Decoder to read the header and payload and verify the signature with the same secret. A JWT is not encrypted — anyone can read its payload — so never put sensitive data in it.

Related tools

JSON Formatter & BeautifierFormat, beautify, and validate JSON instantly in your browser. Your data never leaves your device.JWT Decoder & VerifierDecode and verify JSON Web Tokens (JWT) in your browser. HS256, RS256, ES256 supported. Tokens and keys never leave your device.Base64 Encoder & DecoderEncode text to Base64 or decode Base64 back to text instantly in your browser. Unicode-safe. Nothing is uploaded.