Create, sign, and verify custom JSON Web Tokens instantly for secure API testing and authentication workflows.
Configure the token parameters. The header and payload accept valid JSON. The secret or key is used to sign the token.
The token is generated entirely in your browser. No data is sent to any server.
Paste an existing JWT and provide the secret to verify its signature.
Conceptual calculation: The generator constructs the header and payload JSON objects, Base64URL-encodes them separately, concatenates them with a dot separator, and computes an HMAC signature using the specified algorithm and secret. The final JWT is: Base64URL(header).Base64URL(payload).Base64URL(signature).
Key assumptions: The input JSON is assumed to be valid JSON. The secret is assumed to be the correct signing key. HMAC algorithms use symmetric keys (same key for signing and verification).
Limitations and edge cases: This tool supports only HMAC algorithms (HS256, HS384, HS512) for browser-side signing. RSA and ECDSA algorithms require server-side key management. Tokens are generated client-side only; this tool cannot interact with authorization servers.
Select a signing algorithm (HS256, HS384, or HS512), enter the header JSON, payload JSON with your claims, and a secret key. Click "Generate Token" to create the signed JWT.
To verify an existing token, paste it in the verification section along with the secret used to sign it. The tool will indicate whether the signature is valid.
The generator takes the header and payload JSON, encodes them using Base64URL encoding (which is URL-safe), and concatenates them. It then computes an HMAC signature using the specified algorithm and the secret key. The final JWT is the concatenation of the encoded header, encoded payload, and signature, separated by dots.
The encoded JWT is a single string that combines the header, payload, and signature. You can decode the header and payload without verification. The signature ensures the token was created by someone with the secret key.
For testing, use short expiration times and test-specific secrets. Never use production secrets in online generators.
This tool is for testing and debugging JWT-based authentication systems. It generates tokens entirely client-side and cannot validate against actual authorization servers.
Do not use this tool with production secrets or in production authentication flows. Always implement proper token validation server-side and follow security best practices for key management.
JSON Web Tokens have become a dominant standard for API authentication because they are stateless, scalable, and can carry claims directly without server-side session storage. Understanding when JWTs are appropriate—and when they are not—is critical for building secure systems.
A JWT consists of three parts: the header, the payload, and the signature. The header contains metadata about the signing algorithm. The payload contains the claims—statements about the subject and additional metadata. The signature proves the token was created by someone with access to the secret key.
When you receive a JWT, you can decode the header and payload without verification. However, only tokens with valid signatures from trusted issuers should be trusted. This is why signature verification is essential.
JWTs support two broad categories of signing algorithms: symmetric (HMAC) and asymmetric (RSA, ECDSA). The choice between them has significant implications for key management and security.
| Category | Algorithms | Key Type | Best For | Key Management |
|---|---|---|---|---|
| HMAC (Symmetric) | HS256, HS384, HS512 | Shared secret | Internal services, simple deployments | Both parties must keep the secret confidential |
| RSA (Asymmetric) | RS256, RS384, RS512 | Public/private key pair | Open APIs, multi-party authentication | Public key can be shared freely; private key stays secure |
| ECDSA (Asymmetric) | ES256, ES384, ES512 | Public/private key pair | Modern apps, mobile, constrained environments | Smaller keys than RSA with equivalent security |
HMAC algorithms like HS256 are straightforward: the same secret is used to both sign and verify tokens. This works well when both the token issuer and consumer are part of the same system and can securely share the secret. The simplicity is attractive, but it means anyone with the secret can forge tokens.
For testing purposes, HMAC algorithms are convenient because you only need to manage one secret. This tool supports HMAC algorithms for this reason.
JWT payloads contain claims—key-value pairs that represent statements about the token and its subject. Some claims are standardized, while others can be custom-defined for your application.
| Claim | Required | Description |
|---|---|---|
| iss (Issuer) | No | Identifies who issued the token |
| sub (Subject) | No | Identifies the subject of the token (usually user ID) |
| aud (Audience) | No | Identifies who the token is intended for |
| exp (Expiration) | No | Unix timestamp after which the token is invalid |
| nbf (Not Before) | No | Unix timestamp before which the token is not valid |
| iat (Issued At) | No | Unix timestamp when the token was issued |
| jti (JWT ID) | No | Unique identifier for the token |
While JWTs are powerful, improper implementation can introduce serious vulnerabilities. Understanding these risks helps avoid common mistakes.
JWTs are stateless and self-contained, which means once issued, they remain valid until expiration. For this reason, tokens should have relatively short lifetimes (minutes to hours). Refresh tokens provide a mechanism to obtain new access tokens without requiring the user to re-authenticate. This tool allows setting the exp claim for testing token expiration.
Never accept the algorithm from the token header blindly. Always validate that the algorithm matches what your server expects. An attacker could potentially manipulate the algorithm field in some implementations. Specify explicit algorithms in your verification code and reject unexpected algorithms.
Secrets should never be hardcoded, committed to repositories, or transmitted over insecure channels. Use environment variables or secret management systems in production. Rotate keys regularly and have a plan for key revocation if a secret is compromised.
When testing APIs that use JWT authentication, you often need to generate tokens with specific claims, expiration times, or payloads to test various scenarios. This includes testing token expiration handling, invalid signature rejection, audience validation, and custom claim processing.
Generate tokens with edge-case values: expired tokens, tokens with missing claims, tokens with future iat values, and tokens signed with wrong keys to verify your API properly handles these cases.
A JWT (JSON Web Token) is a compact, URL-safe format for transmitting claims between parties. It consists of a header, payload, and signature. The signature allows the recipient to verify the token was created by a trusted party with the secret key.
Enter the header JSON (alg and typ), payload JSON (claims like sub, iat, exp), and a secret key. The tool will generate a signed JWT that you can use to test your API authentication endpoints.
HS256 uses a symmetric key (shared secret) for both signing and verification. RS256 uses an asymmetric key pair (private key to sign, public key to verify). RS256 is preferred for open APIs where multiple parties need to verify tokens without sharing a secret.
No. Never use actual production secrets in online tools. This tool generates tokens entirely in your browser, but for security best practices, use test secrets only. Production token generation should happen in secure backend environments.
Add any key-value pairs to the payload JSON. For example, adding "role": "admin" creates a custom claim. Some claim names are reserved (iss, sub, aud, exp, nbf, iat, jti), but you can add additional properties for your application.
Common causes include whitespace or formatting issues in the JSON, using different algorithms for signing vs verification, or Base64URL vs Base64 encoding confusion. Ensure the header.alg matches the algorithm used for signing.
Decode and inspect existing JWT tokens to verify payloads, headers, and signature status.
Encode and decode Base64URL strings commonly used in JWT encoding and web APIs.
Generate HMAC-SHA256 signatures for message authentication and token validation.
Build and format authentication headers for various API authorization schemes.
Visualize OAuth 2.0 authentication flows with sequence diagrams and security recommendations.
Debug WebAuthn registration and authentication flows with CBOR decoding.
Generate and test bcrypt password hashes with configurable cost factors.
Create strong, random passwords with customizable character sets and length parameters.