Quick start
-
Set secret
HS256 shared secret.
-
Edit payload
JSON object; defaults include sub/iat/exp.
-
Generate and copy
Copy token to jwt-decoder to verify.
JWT Generator
Enter payload JSON and a shared secret to sign HS256 JWTs locally—pair with jwt-decoder for testing. Dev only; never expose production secrets in the browser.
Privacy: processed locally, never uploaded.
↓ Paste in the input area below to see results instantly
Sign HS256 JWTs locally with a shared secret—for dev debugging only; never expose production secrets in the browser.
Secret
Payload (JSON)
Enter payload JSON and a shared secret to sign HS256 JWTs locally—pair with jwt-decoder for testing. Dev only; never expose production secrets in the browser.
With the decoder
Paste into jwt-decoder to inspect header/payload and expiry warnings.
Security
Client-side signing is not for production auth; sign real tokens on the server.
Typical Workflow
When developing API endpoints, you often need test JWTs. Open the tool and: 1) Enter JSON in Payload (e.g. {"user_id":123}); 2) Set HS256 algorithm; 3) Input test key (like 'your-256-bit-secret'); 4) Click generate and copy. All processing happens locally in your browser.
Paste the JWT into API's Authorization header (format: Bearer <token>), or verify it with our jwt-decoder. To test expiration, modify the 'exp' field in Payload as UNIX timestamp (e.g. 1698765432). Remember HS256 uses symmetric encryption - prefer RS256 in production.
Examples
Example
Input
secret + {"sub":"user"} Output
eyJhbGciOiJIUzI1NiIs…
FAQ
RS256 support?
HS256 only; asymmetric algorithms need private key handling.
Secret uploaded?
No; signed locally with Web Crypto.
Why 'Invalid payload' error?
Payload must be strict JSON: 1) All keys in double quotes; 2) String values in double quotes; 3) No comments/trailing commas. E.g. {"sub":"user1"} works but {sub:'user1'} or {"age":30,} don't. Validate syntax with a JSON tool first.