JWT Token Generator — Free & Private
Sign JWT tokens with HS256, HS384 or HS512, or decode any JWT to inspect its header and payload. Everything runs in your browser — no server, no upload.
HS256 · HS384 · HS512
Generate signed JWTs with any HMAC algorithm. Editable header and payload.
Decode Any JWT
Paste any JWT and inspect its decoded header, payload, and metadata instantly.
No Upload
HMAC signing uses Web Crypto API in your browser. Nothing is transmitted.
JWT structure explained
A JWT looks like this: xxxxx.yyyyy.zzzzz. Each section is Base64URL-encoded:
- Header — Algorithm (
alg) and token type (typ). Example:{"alg":"HS256","typ":"JWT"} - Payload — Claims about the subject. Standard claims include
sub,exp,iat. Add custom claims as needed. - Signature — HMAC of header + payload using the secret. This proves the token hasn't been tampered with.
Frequently asked questions
What is a JWT token?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. A JWT consists of three Base64URL-encoded parts separated by dots: a header (algorithm and type), a payload (claims), and a signature. JWTs are used for authentication, authorization, and information exchange.
What is the difference between HS256, HS384 and HS512?
All three are HMAC-based symmetric signing algorithms. The number indicates the hash size: HS256 uses SHA-256 (64-char signature), HS384 uses SHA-384 (96-char), HS512 uses SHA-512 (128-char). HS256 is the most widely supported and is the default. Larger variants offer marginally more collision resistance but are all considered secure for JWT signing.
Is my secret or JWT sent to a server?
No. This tool uses the Web Crypto API (crypto.subtle.sign with HMAC) which runs entirely in your browser. Your signing secret, payload, and generated tokens never leave your device. This is safe for testing but remember: never use production secrets in browser-based tools in untrusted environments.
What are JWT claims?
Claims are the statements in the JWT payload about the subject. Registered claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time as Unix timestamp), nbf (not before), iat (issued at), and jti (JWT ID). You can also add custom claims for your application's needs.
Can I use this tool to verify a JWT signature?
The decoder shows the header and payload of any JWT without verifying the signature. Signature verification requires the signing secret (for HMAC) or public key (for RSA/EC). Always verify JWT signatures server-side before trusting the claims.
What is the exp claim and why does it matter?
The exp (expiration) claim is a Unix timestamp (seconds since 1970-01-01) after which the token must be rejected. For example, exp: 1700000000 means the token expired on 2023-11-14. Always set an expiration on tokens — tokens without exp claims are valid forever if not revoked.