JWT Generator (Sign HS256)
Create and sign a JSON Web Token (JWT) with HS256, HS384, or HS512 and your secret — entirely in your browser. Payload, secret, and token never leave your device.
The token is signed with HMAC and your secret using the Web Crypto API — the payload, secret, and token never leave your browser. Paste the result into the JWT Decoder to verify it. Only use real secrets on a device you trust.
Build and sign a JSON Web Token with HS256, HS384, or HS512. Enter your claims and a secret, and get a ready-to-use token — signed in your browser with the Web Crypto API, so nothing leaves your device.
How to use it
No account, no upload — it all happens on your device.
Anatomy of a JWT
Three base64url parts joined by dots.
A JWT is header.payload.signature. The header names the algorithm, the payload holds your claims, and the signature is an HMAC of the first two parts using your secret. Changing any part invalidates the signature — that's what lets a server trust it.
Security notes
- Not encrypted. The payload is only base64url encoded — anyone can read it. Never store secrets in it.
- Use a strong secret. HMAC security rests on the secret; short ones are guessable. Test one with the Password Strength Checker.
- Verify with the decoder. Round-trip your token through the JWT Decoder.