Token will appear here
Configure claims and signing key on the left// generate signed JWT tokens from a visual claim editor
Generate signed JWT tokens from a visual claim editor. Configure header algorithm, add standard and custom claims, sign with HMAC or RSA keys — browser-based, free, no signup.
Token will appear here
Configure claims and signing key on the leftSelect HS256/384/512 for HMAC with a shared secret, or RS256/384/512 for RSA with a private key. The key input section updates accordingly.
Click quick-add buttons to add standard claims like sub, exp, and iss. Add custom claims as string, number, boolean, or JSON values.
Enter your secret or private key, then click "🔐 Generate Token". Copy the full token or individual parts (header, payload, signature).
The JWT Generator creates signed JSON Web Tokens from a visual editor without writing code. Configure the header algorithm, build the payload with standard and custom claims, provide a signing key, and click Generate. All cryptographic operations use the browser's native Web Crypto API — your keys and tokens never leave your machine.
All processing happens entirely in your browser using the Web Crypto API — your key never leaves your machine and is not sent to any server. That said, as a general security principle, avoid using production signing keys in any third-party tool. Use a test key for development purposes, and keep production keys in a secrets manager.
HS256 uses a shared HMAC secret — both the issuer and the verifier need to know the same secret key. RS256 uses an RSA key pair — the issuer signs with the private key and any verifier can check the signature using only the public key. RS256 is better for distributed systems where multiple services need to verify tokens without knowing the signing secret.
Click the "exp" quick-add button to add an expiration claim. It will be pre-populated with "now + 1 hour". You can change the value — enter a Unix timestamp directly, or use the offset presets like "1h", "24h", "7d". The tool automatically converts these to the correct Unix timestamp for the exp claim.
Custom claims can be typed as: string (default), number (integer or float — useful for timestamps and IDs), boolean (true/false — useful for flags like admin: true), and JSON (for nested objects or arrays — parsed from the value field).
Yes. Generate a token here, copy it, then paste it into the JWT Decoder tool to inspect and verify it. The Decoder supports HMAC signature verification with the same secret you used here, so you can validate that the token roundtrips correctly.
For testing, click the "⟳ Generate" button next to the key field — this generates a fresh RSA-2048 key pair in your browser using the Web Crypto API and populates the private key field. For production, use a proper key management system to generate and store RSA keys securely.
Generating JWT tokens manually during development is tedious — it requires either writing code to sign with the correct algorithm and key, or using a library CLI. This tool provides a visual interface for the same operation, backed by the browser's native Web Crypto API for cryptographically correct signatures.
JWTs are most commonly used for stateless authentication (API access tokens), information exchange between services, and OAuth 2.0 access tokens. The token contains all the information a service needs to authenticate a user without a database lookup — the claims in the payload, verified by the signature. This makes them ideal for microservice architectures where multiple services need to verify user identity independently.
HS256 (HMAC-SHA256) is the simplest choice for single-application or internal APIs where both the issuer and verifier share a secret. RS256 (RSA-SHA256) is the better choice for public-facing APIs or multi-service architectures — the public key can be distributed widely while the private key stays secret. ES256 (ECDSA-SHA256) offers similar security to RS256 with shorter signatures and faster verification, though it requires a different key format.