JWT Token Encoder
Create HMAC-SHA256 signed JWT tokens for testing and development. Free, in your browser, no data upload.
Why use this encoder
JWT for development, without the hassle
Total privacy
The token is generated using the Web Crypto API directly in your browser. Neither the payload nor the secret key ever leave your device.
Real cryptographic signing
We use HMAC-SHA256 via the Web Crypto API — the same algorithm production servers use. The token is valid and verifiable.
Compatible with any JWT library
The generated token is standard RFC 7519. Works with jsonwebtoken (Node.js), PyJWT (Python), java-jwt, and any compliant implementation.
Instant, no network dependency
No server calls. Generation happens in milliseconds regardless of your connection.
How it works
Three steps, no hassle
Define the payload
Write the JSON payload with the claims you need: sub, exp, iat, or any custom field.
Enter your secret key
Type the secret key for HMAC-SHA256 signing. Use test keys only — never production secrets in browser tools.
Copy the generated token
The signed JWT token is generated instantly in your browser. Copy it for use in your API tests.
FAQ
Got questions?
HMAC-SHA256 is a signing algorithm that combines your secret key with the Base64URL-encoded header and payload to produce a cryptographic signature. This ensures the token has not been tampered with.
NO — never enter production secret keys into browser tools. This tool is for generating test tokens in development environments. Keys stay on your device, but the risk of exposure exists any time you type real secrets into any web text field.
HS256 (HMAC-SHA256) is the default and most common algorithm for symmetric JWTs. It is the standard for most implementations that do not require asymmetric cryptography (RS256/ES256).
Yes. The generated JWT token can be decoded with our JWT Decode tool to verify the header and payload. Remember that the payload is only Base64URL-encoded, not encrypted — anyone can read its contents.
Yes. Add any JSON key-value pair to the payload. Standard claims like sub (subject), iss (issuer), and aud (audience) are treated the same as custom ones — they are simply conventions of the JWT standard.
exp (expiration) and iat (issued at) are Unix timestamps in seconds. For a token expiring in 1 hour: iat is the current timestamp and exp is iat + 3600. You can get the current timestamp with Date.now()/1000 in the browser console.
JWT creation workflow, HMAC-SHA256 signing process, Web Crypto API for cryptography, testing JWT in API development
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained format for securely transmitting information between parties as a JSON object. A JWT consists of three parts separated by dots: the header (token type and signing algorithm), the payload (the claims or assertions), and the signature (cryptographic signature). Each part is Base64URL-encoded, making the token safe to use in URLs and HTTP headers.
The HS256 algorithm (HMAC with SHA-256) is the most common for symmetric JWTs: both the issuer and the receiver share the same secret key. The signature is computed as HMAC-SHA256(Base64URL(header) + '.' + Base64URL(payload), secret). The browser's Web Crypto API implements HMAC-SHA256 natively, enabling the generation of cryptographically valid tokens without sending any data to a server.
In REST API development, JWT is primarily used for stateless authentication: the server generates a token on login, the client stores it (localStorage or httpOnly cookie) and sends it in the Authorization: Bearer <token> header with each request. The server only needs to verify the signature with its secret key, without a database lookup. The most important standard claims are sub (user identifier), exp (expiration time in Unix seconds), iat (issued at time), and iss (token issuer).