🔑

JWT Generator

Generate signed JWT tokens

Algorithm
Secret Key
Subject (sub)
Issuer (iss)
Expires In
Custom Claims (JSON)

About JWT Generator

Testing JWT authentication usually means spinning up a full auth server just to get a signed token. This generates valid signed JWTs directly in the browser so you can test your API endpoints immediately. Set the algorithm (HS256, HS384, HS512), subject, issuer, expiry (accepts human values like "1h", "7d", "30m"), and any custom claims. The output is a proper signed token ready for an Authorization header. Signing uses the browser's WebCrypto API. Your secret key is not sent anywhere.

Common Use Cases

  • Generating test tokens for API endpoint testing without an auth server
  • Creating tokens with specific claims to test authorization logic
  • Generating intentionally expired tokens to test expiry handling
  • Building tokens with specific roles to test permission boundaries

Frequently Asked Questions

HS256 vs RS256 — when to use each?+
HS256 uses a shared secret — same key signs and verifies. Simpler for internal services where you control both sides. RS256 uses a private/public key pair — you sign with the private key and verify with the public key. Better when third parties need to verify tokens without access to your secret.
What standard claims should I include?+
sub (who the token is about), iss (who issued it), aud (intended recipient), exp (expiry Unix timestamp), iat (issued-at timestamp). Everything else is application-specific.
Should I use this with production secrets?+
No. This is a development and testing tool. Production token signing should happen server-side in a secure environment.
What format does the expiry field accept?+
Relative durations: "1h", "7d", "30m", "3600s". These are converted to the correct Unix timestamp automatically.