Skip to content

JWT Generator

Quick-add Claims
Only HMAC (shared-secret) signing runs client-side. RS/ES/PS algorithms need a private key and a server or KMS to stay secret.
Signed TokenHS256
Fix the JSON above to generate a token.

Signing happens entirely in your browser via the Web Crypto API. Your secret and claims never leave this page.

What This Tool Does

JWT Generator is built for deterministic developer and agent workflows.

Build and sign a JSON Web Token (HS256/384/512) entirely in your browser with editable header and claims.

Use How to Use for execution steps and FAQ for constraints, policies, and edge cases.

Last updated:

This tool is provided as-is for convenience. Output should be verified before use in any production or critical context.

Agent Invocation

Best Path For Builders

Browser workflow

Runs instantly in the browser with private local processing and copy/export-ready output.

Browser Workflow

This tool is optimized for instant in-browser execution with local data handling. Run it here and copy/export the output directly.

/jwt-generator/

For automation planning, fetch the canonical contract at /api/tool/jwt-generator.json.

How to Use JWT Generator

  1. 1

    Edit the header

    Keep the default header with alg and typ, or adjust it. The alg field stays in sync with the algorithm selector.

  2. 2

    Write your claims

    Enter the payload as JSON, or use the quick-add buttons for iat, exp, sub, iss, and aud.

  3. 3

    Choose algorithm and secret

    Pick HS256, HS384, or HS512 and enter the shared secret used to sign and later verify the token.

  4. 4

    Read the preview

    Check the decoded claims and expiry status to confirm the token contains what you expect.

  5. 5

    Copy the token

    Copy the signed header.payload.signature string into your app, tests, or API client.

Frequently Asked Questions

What does this JWT generator do?
It builds a JSON Web Token from an editable header and claims, then HMAC-signs it with your secret so you get a ready-to-use token for testing and integration.
Which signing algorithms are supported?
HS256, HS384, and HS512, which use a shared secret (HMAC). Asymmetric algorithms like RS256 or ES256 require a private key and a server, so they are intentionally out of scope for a client-side tool.
Is the token signed in my browser?
Yes. The header, payload, and secret are base64url-encoded and signed locally with the Web Crypto API. Nothing is uploaded to a server.
How do I set an expiry time?
Use the exp quick-add button with a minutes value, or add an exp claim manually as a Unix timestamp. The preview then shows the resulting expiry and whether it is still valid.
Can I edit the header and claims freely?
Yes. Both are JSON editors with live validation. The algorithm selector keeps the header's alg field in sync so the token stays consistent.