365tools

JWT Generator & Decoder

Generate signed JWT tokens with HS256/HS384/HS512, or decode any JWT to inspect its header and payload. Browser-only, nothing sent to any server.

Files processed in your browser — never uploaded

How JWT Generator Works

1

Edit header & payload

The header and payload are pre-filled with sensible defaults. Edit them as valid JSON — add custom claims, change the expiration, or adjust the algorithm.

2

Enter secret & generate

Type your signing secret, choose HS256, HS384 or HS512, and click Generate JWT. The header alg field updates automatically when you switch algorithms.

3

Copy the token

Copy the generated JWT to clipboard. The three parts are colour-coded (red = header, purple = payload, blue = signature) so you can see the structure at a glance.

Key Features

HS256, HS384 & HS512

Choose any HMAC-based signing algorithm. The header alg field syncs automatically so the generated token is always self-consistent.

Decode any JWT

Switch to Decode mode and paste any JWT to see its header and payload decoded as formatted JSON — useful for inspecting tokens from your API.

Web Crypto API signing

HMAC signing uses crypto.subtle.sign() — the browser's native cryptographic API. Your secret and the generated token never leave your device.

Editable header & payload

Both the header and payload are fully editable JSON fields. Add custom claims, set an expiration, or change the subject without leaving the page.

Decode-only disclaimer

The decoder shows header and payload without verifying the signature. A clear notice reminds you to always verify signatures server-side before trusting claims.

Instant generation

Token generation is asynchronous but near-instant. Large payloads do not slow generation — HMAC signing is fast regardless of payload size.

Frequently Asked Questions

Q
What is a JWT token?
A
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a JSON object. A JWT has three Base64URL-encoded parts: header (algorithm + type), payload (claims), and signature. JWTs are widely used for authentication and authorization.
Q
What is the difference between HS256, HS384 and HS512?
A
All three are HMAC-based symmetric signing algorithms. The number is the hash size: HS256 uses SHA-256, HS384 uses SHA-384, HS512 uses SHA-512. HS256 is the most widely supported default. All three are considered secure for JWT signing.
Q
Is my secret or JWT sent to a server?
A
No. This tool uses the Web Crypto API (crypto.subtle.sign with HMAC) which runs entirely in your browser. Your signing secret, payload, and tokens never leave your device.
Q
What are JWT claims?
A
Claims are statements in the payload. Standard registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration as Unix timestamp), iat (issued at), and jti (JWT ID). Add custom claims for your application's needs.
Q
Can I verify a JWT signature with this tool?
A
The decoder shows the decoded header and payload without verifying the signature. Signature verification requires the signing secret. Always verify JWT signatures server-side before trusting the claims.
Q
What is the exp claim?
A
exp is a Unix timestamp (seconds since 1970-01-01) after which the token should be rejected. Always set an expiration on tokens — tokens without exp claims are valid indefinitely if not revoked.

More Developer Tools

JSON Formatter

Format, minify and validate JSON instantly. Syntax-error highlighting included.

Base64 Encoder / Decoder

Encode text or files to Base64, decode Base64 back to text. URL-safe mode.

Hash Generator

SHA-256, SHA-384 and SHA-512 hashes. Secure secret generator for NextAuth.