JWT Generator (HS256)
Create and sign a JSON Web Token (HS256/384/512) from a payload and secret.
Updated: June 27, 2026
Create a signed JWT in your browser
A JSON Web Token packages a set of claims (your payload) and signs them so the recipient can verify the token wasn't tampered with. This generator takes your payload JSON and a secret, then produces a signed token using HMAC — HS256, HS384 or HS512. The signing happens locally with the Web Crypto API, so your secret never leaves the page. It's ideal for testing, debugging auth flows, and learning how JWTs are built.
How a JWT is assembled
The token is three Base64url-encoded parts joined by dots:
header.payload.signature. The header declares the algorithm
({"alg":"HS256","typ":"JWT"}). The payload holds your claims. The
signature is HMAC(secret, header + "." + payload). Anyone can read
the header and payload — they're only encoded, not encrypted — but only someone
with the secret can produce a valid signature, which is what makes the token
trustworthy.
Useful standard claims
sub— subject (who the token is about, e.g. a user ID).exp— expiration time as a Unix timestamp; verifiers reject expired tokens.iat— issued-at time.nbf— not valid before this time.iss/aud— issuer and intended audience.
Need a timestamp for exp or iat? Generate one with our
Unix timestamp converter.
Security reminders
- Never put secrets in the payload. It's readable by anyone holding the token.
- Use a long, random secret. A weak HS256 secret can be brute-forced. Generate one with our API key generator.
- Always set an expiry. Short-lived tokens limit the damage if one leaks.
- This is for testing. In production, issue tokens server-side so secrets stay on the server.
Verify what you create
Paste the token straight into our JWT decoder to confirm the claims and verify the signature against your secret. The two tools use the same HMAC primitive as our HMAC generator, so results are consistent across the site.
Frequently asked questions
Is it safe to enter my secret here?
For testing, yes — the token is signed in your browser with the Web Crypto API and the secret is never transmitted. For production, always sign tokens on your server so the secret never reaches a client.
Which algorithms are supported?
HMAC-based HS256, HS384 and HS512. Asymmetric algorithms (RS256, ES256) sign with a private key and aren't generated here.
How do I make the token expire?
Add an exp claim to your payload with a Unix timestamp in the future. Verifiers will reject the token after that moment. Use our timestamp converter to get the value.
Can the payload be read by others?
Yes. The payload is only Base64url-encoded, not encrypted. Never include passwords or secrets — the signature protects integrity, not confidentiality.
Authentication platforms
For real token issuance and validation in production:
- Identity provider / auth platform Issue, rotate and verify tokens (OAuth 2.0 / OIDC) with secrets managed safely server-side.
- API gateway Validate and enforce JWTs at the edge, rejecting expired or malformed tokens before they hit your services.
Learn more
- What Is a JWT and How Does It Work? How JSON Web Tokens really work — the header, payload and signature, what signing proves, and the security mistakes that bite teams.
- HMAC Explained: How Webhook Signatures Work How HMAC proves a message came from who you think it did — the mechanism behind Stripe and GitHub webhook signatures, and how to verify them safely.
- JWT vs Session Cookies: Which Auth Should You Use? Stateless tokens or server-side sessions? The real trade-offs between JWTs and session cookies — scalability, revocation, and the security gotchas of each.
Related tools
- JWT Decoder & ValidatorDecode a JWT's header and payload, inspect its claims, and verify an HS256 signature.
- HMAC Generator (SHA-1, SHA-256, SHA-512)Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- API Key & Secret GeneratorGenerate cryptographically secure API keys and secrets in hex, Base64url or alphanumeric.
- Base64 Encode / DecodeConvert text to Base64 and back, with full Unicode (UTF-8) support.