JWT Generator — Create HS256 Signed JWT Tokens

Generate HS256-signed JWT tokens with custom claims (sub, iss, exp, aud) and a secret key.

⚠ For development/testing only. Do not use production secrets.
Algorithm
Secret Key
Payload
Custom Claims
Header
Payload
Signature
Generated JWT
Enter a secret key
🔒 Secret key is used only in your browser.

Related Articles

Developer

What is a JWT? How JSON Web Tokens Work in Authentication

A practical breakdown of JWT structure — header, payload, signature. C…

Read more →

About JWT Generator — Create HS256 Signed JWT Tokens

JWT Generator creates HS256-signed JSON Web Tokens from a custom payload and secret key. Test authentication flows, generate tokens for API testing, and understand the JWT structure with this browser-based tool.

How to Use

  1. 1Enter the JWT payload as a JSON object (e.g., {"sub":"123","role":"admin"}).
  2. 2Enter the HMAC-SHA256 secret key.
  3. 3Click "Generate" to create the signed JWT token and copy it.

Features

  • Generate HS256-signed JWTs instantly in the browser
  • Useful for testing JWT-authenticated APIs
  • No server needed — signing occurs locally using the Web Crypto API
  • Paired with the JWT Decoder tool for full JWT workflow
01

Understanding JSON Web Tokens

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. They are widely used for authentication and information exchange in modern web applications.

JWT Structure and Components

A JWT consists of three Base64URL-encoded parts separated by dots: the header, payload, and signature. The header declares the token type and signing algorithm (e.g., HS256). The payload contains claims — statements about an entity such as a user ID, roles, or expiration time. Standard registered claims include "iss" (issuer), "sub" (subject), "aud" (audience), "exp" (expiration time), "nbf" (not before), and "iat" (issued at). The signature is created by encoding the header and payload and signing them with a secret key, which allows recipients to verify the token has not been tampered with. Understanding this structure helps you craft tokens appropriate for your authentication needs.

Signing Algorithms: HS256, RS256, and ES256

JWT supports several signing algorithms. HS256 (HMAC-SHA256) is a symmetric algorithm where the same secret is used for both signing and verification, making it simple but requiring that all parties share the secret securely. RS256 (RSA-SHA256) is an asymmetric algorithm using a private key to sign and a public key to verify — ideal when multiple services need to verify tokens without access to the signing secret. ES256 (ECDSA-SHA256) also uses asymmetric keys but with elliptic curve cryptography, offering smaller signatures and faster operations. This tool uses HS256 for simplicity, which is appropriate for development, testing, and single-service environments where the secret can be kept private.

02

JWT Security and Best Practices

Proper JWT usage requires attention to security considerations. Understanding common vulnerabilities helps you implement tokens safely in production environments.

Claims and Token Expiration

Always include an "exp" claim to limit token lifetime and reduce the risk of token theft. Short-lived tokens (minutes to hours) are more secure than long-lived ones. The "iat" (issued at) claim records when the token was created, enabling servers to reject tokens older than a threshold even if not technically expired. Including a unique "jti" (JWT ID) claim allows servers to maintain a blocklist of revoked tokens. The "sub" claim should identify the principal — typically a user ID. Avoid putting sensitive information like passwords or payment details in the payload, since the payload is Base64-encoded but not encrypted; anyone with the token can decode and read the payload.

Development vs Production Usage

Browser-based JWT generators like this tool are intended for development, testing, and educational purposes only. For production systems, always generate tokens server-side in a secure environment where secrets are protected by environment variables or secret management systems. Never hardcode JWT secrets in client-side code, source control, or configuration files. Use sufficiently long, randomly generated secrets (at least 256 bits for HS256). Rotate secrets periodically and have a revocation strategy in place. When testing JWT-authenticated APIs, this tool is invaluable for quickly creating test tokens with specific claims without writing boilerplate code.

FAQ

Is it safe to generate JWTs here?
For development and testing only. Do not generate production tokens using real secrets in any browser-based tool.
What is HS256?
HS256 (HMAC-SHA256) is a symmetric signing algorithm — the same secret is used to sign and verify the token.
Can I add standard JWT claims like exp?
Yes. Add standard claims like "exp" (expiration), "iat" (issued at), and "sub" (subject) to the payload JSON object.
What is the difference between HS256 and RS256 JWT signing?
HS256 uses a single shared secret key for both signing and verification — the same key that creates the token also verifies it. RS256 uses an asymmetric RSA key pair: the private key signs the token (kept secret on the server), and the public key verifies it (can be shared publicly). RS256 is preferred when multiple services need to verify tokens without having signing access. HS256 is simpler and faster for single-service authentication.
What claims should I always include in a JWT payload?
Standard claims recommended by RFC 7519: iss (issuer — who created the token), sub (subject — who the token is about, typically a user ID), exp (expiration time — Unix timestamp when the token expires), iat (issued at — when the token was created), and jti (JWT ID — a unique identifier to prevent token reuse). Always set exp to a reasonable value (15 minutes for access tokens, 7–30 days for refresh tokens) to limit the window of exposure if a token is compromised.

Found a bug or something not working as expected?

Report a bug →