JWT Generator & Signer
Build and sign a JSON Web Token: edit claims as a form or raw JSON, pick HS/RS/PS/ES, supply or generate a key, and copy the signed token.
About JWT Generator & Signer
Backend and QA engineers regularly need a signed test token. Sometimes it has to be deliberately expired, sometimes it carries a specific role claim, sometimes it is an RS256 token issued for a given key ID. Writing throwaway jwt.sign() scripts or standing up an auth service for that is overkill. This JWT generator does the encode-and-sign step directly in the browser. A JWT is three base64url-encoded parts joined by dots: a header, a payload, and a signature (header.payload.signature). The header names the algorithm, the payload holds your claims, and the signature is computed over the first two parts. HMAC algorithms (HS256/384/512) sign with a shared secret; RSA and ECDSA algorithms (RS, PS, ES) sign with a private key and are verified with the matching public key. You can edit standard claims (iss, sub, aud, exp, iat, nbf, jti) as form fields with relative-time pickers, or switch to a raw-JSON editor for full control over the header and payload, including a custom kid or typ. Signing uses the Web Crypto API, so the secret or private key stays on your machine and is never sent anywhere. As you sign, a live preview decodes the token back and confirms the signature verifies, which makes this the inverse of the JWT decoder. You can round-trip a token between the two tools to check both directions.
How to use the JWT Generator
- Pick a signing algorithm: HS256/384/512 for a shared secret, or RS/PS/ES for a private key.
- Fill the standard claims (iss, sub, aud, jti) in the form, or switch to Raw JSON to edit the full header and payload, including kid.
- Set exp, iat, and nbf with the relative-time pickers, or click the Expired preset to build a token for negative-path testing.
- Paste a secret or PKCS#8 private key, or click Generate to create one (an HMAC secret, or an RSA/EC keypair as PEM and JWK).
- Click Sign Token (or press Ctrl/Cmd+Enter) to produce the signed JWT.
- Copy the token, the header or payload JSON, or a ready-to-paste Authorization: Bearer line, and check that the round-trip preview shows the signature verifies.
Common Use Cases
Sign a test token for a protected endpoint
Build a token with the claims your API expects, sign it with the service secret or key, and paste it into a request to exercise an authenticated route without going through a full login flow.
Create an expired or not-yet-valid token
Use the Expired preset (or set exp in the past) to produce a token your API should reject with a 401, so you can confirm your expiry handling works. The not-yet-valid preset sets a future nbf for the same kind of negative test.
Mint an RS256 or ES256 token for asymmetric auth
Generate an RSA or EC keypair, sign with the private key, and share the public key with the verifying service. Useful for integration testing against systems that use asymmetric JWT verification.
Build a token with custom claims
Add custom claims such as roles, tenant, or scope (values are parsed as JSON first, so numbers, booleans, and objects keep their types) to exercise authorization logic that reads non-standard fields.
Frequently Asked Questions
How do I generate a JWT token online?
Pick an algorithm, enter your claims in the form (or paste raw JSON for the header and payload), supply or generate a signing key, then click Sign Token. The signed token appears on the right, ready to copy. Everything runs in your browser.
How do I create a signed JWT with a secret key?
Choose an HS algorithm (HS256, HS384, or HS512) and type your HMAC secret into the Secret field, or click Generate secret to create a random one of 128 to 512 bits. Sign the token and the preview will confirm the signature verifies with that secret.
How do I generate a JWT with RS256 and a private key?
Select RS256 and paste your private key in PKCS#8 PEM format (the block that starts with -----BEGIN PRIVATE KEY-----). If you do not have a key, click Generate RSA keypair to create one. To see the round-trip verification, also provide the matching public key in SPKI PEM format.
What is the difference between HS256 and RS256 for signing?
HS256 is symmetric: the same secret both signs and verifies, so every party that can verify can also forge tokens. RS256 is asymmetric: a private key signs and a separate public key verifies, so you can hand out the public key for verification without exposing the ability to sign.
How do I create an expired JWT for testing?
In the claim form, set the exp picker to Expired, or click the Expired token preset, which puts exp in the past. Sign the token and your API should reject it as expired, which is how you confirm the 401 path works.
Is it safe to sign a JWT in an online tool?
This tool signs entirely client-side with the Web Crypto API, so the secret or private key is never uploaded and never leaves the page. That said, as a general habit, avoid pasting real production private keys into any online tool you have not verified is client-only. For test keys and generated keys, signing here is safe.
How do I generate a secure JWT secret key?
Choose an HS algorithm, pick a strength (128, 256, 384, or 512 bits), and click Generate secret. The tool uses the browser CSPRNG to produce random bytes and returns a base64url-encoded secret you can use directly for signing and verification.