ToolSec

JWT Generator (HS256)

Create and sign a JSON Web Token (HS256/384/512) from a payload and secret.

Updated: June 27, 2026

Create a signed JWT in your browser

A JSON Web Token packages a set of claims (your payload) and signs them so the recipient can verify the token wasn't tampered with. This generator takes your payload JSON and a secret, then produces a signed token using HMAC — HS256, HS384 or HS512. The signing happens locally with the Web Crypto API, so your secret never leaves the page. It's ideal for testing, debugging auth flows, and learning how JWTs are built.

How a JWT is assembled

The token is three Base64url-encoded parts joined by dots: header.payload.signature. The header declares the algorithm ({"alg":"HS256","typ":"JWT"}). The payload holds your claims. The signature is HMAC(secret, header + "." + payload). Anyone can read the header and payload — they're only encoded, not encrypted — but only someone with the secret can produce a valid signature, which is what makes the token trustworthy.

Useful standard claims

  • sub — subject (who the token is about, e.g. a user ID).
  • exp — expiration time as a Unix timestamp; verifiers reject expired tokens.
  • iat — issued-at time.
  • nbf — not valid before this time.
  • iss / aud — issuer and intended audience.

Need a timestamp for exp or iat? Generate one with our Unix timestamp converter.

Security reminders

  • Never put secrets in the payload. It's readable by anyone holding the token.
  • Use a long, random secret. A weak HS256 secret can be brute-forced. Generate one with our API key generator.
  • Always set an expiry. Short-lived tokens limit the damage if one leaks.
  • This is for testing. In production, issue tokens server-side so secrets stay on the server.

Verify what you create

Paste the token straight into our JWT decoder to confirm the claims and verify the signature against your secret. The two tools use the same HMAC primitive as our HMAC generator, so results are consistent across the site.

Frequently asked questions

Is it safe to enter my secret here?

For testing, yes — the token is signed in your browser with the Web Crypto API and the secret is never transmitted. For production, always sign tokens on your server so the secret never reaches a client.

Which algorithms are supported?

HMAC-based HS256, HS384 and HS512. Asymmetric algorithms (RS256, ES256) sign with a private key and aren't generated here.

How do I make the token expire?

Add an exp claim to your payload with a Unix timestamp in the future. Verifiers will reject the token after that moment. Use our timestamp converter to get the value.

Can the payload be read by others?

Yes. The payload is only Base64url-encoded, not encrypted. Never include passwords or secrets — the signature protects integrity, not confidentiality.

Authentication platforms

For real token issuance and validation in production:

  • Identity provider / auth platform Issue, rotate and verify tokens (OAuth 2.0 / OIDC) with secrets managed safely server-side.
  • API gateway Validate and enforce JWTs at the edge, rejecting expired or malformed tokens before they hit your services.

Learn more

Related tools