JWT Generator Online — Create JSON Web Tokens Free

How to use the JWT generator

Generate JWTs for local testing, debugging auth flows, or generating signed payloads in scripts. Set custom claims, pick HMAC-SHA256 signing, and copy the token. This generator is for development only — don't use the output as production secrets, and never paste real production keys here.

1. Pick the algorithm. HS256 (HMAC) is symmetric — same secret to sign and verify. RS256/ES256 are asymmetric — sign with private key, verify with public.
2. Set the header. typ: JWT, alg as picked. Add kid if your verifier rotates keys.
3. Build the payload. Standard claims: iss (issuer), sub (user ID), aud (audience), exp (expiration — Unix seconds), iat (issued at), nbf (not before). Custom claims go alongside.
4. Enter the signing secret (HS256) or paste the private key (RS256/ES256). Use a 256-bit random secret for HMAC; never reuse short or predictable values.
5. Copy the resulting JWT (three Base64URL-encoded parts: header.payload.signature). Verify with the matching key in your auth server's JWT library.

Common mistakes to avoid

Using alg: none in production. Accepting unsigned tokens lets anyone forge any identity. Always whitelist allowed algorithms server-side.
HS256 with a weak secret. Anything under 32 random bytes is brute-forceable. Use 256-bit random keys, or switch to RS256/ES256.
Forgetting exp. Tokens without expiration live forever — a leaked token is permanent compromise. Set short exp (5–60 min) and rotate refresh tokens.
Storing secrets inside the JWT payload. Bodies are Base64-encoded, not encrypted. Use JWE (encrypted JWT) for sensitive claims, or store server-side and reference by ID.
Not validating iss and aud on the server. A token signed for service A can be replayed against service B if the secret is shared and audience isn't checked.
Pasting production private keys into online tools. Even tools that swear they're client-only — verify the network tab. For real keys, use server-side libraries (jsonwebtoken, PyJWT, Auth0).

Frequently Asked Questions

What is a JSON Web Token (JWT) and what are its parts?

A JWT is a compact, URL-safe token defined by RFC 7519 for securely transmitting claims between two parties. It has three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims like iss, sub, exp, iat), and the Signature (HMAC or RSA signature of the header and payload). JWTs are widely used in OAuth 2.0, OpenID Connect, and stateless API authentication.

How do I set an expiration time on a JWT?

The exp claim is a Unix timestamp (seconds since epoch) indicating when the token expires. To expire in 1 hour, set exp to the current time plus 3600. Common companion claims include iat (issued at — when the token was created) and nbf (not before — the token is invalid before this time). Use the quick buttons above to auto-fill these values.

Is it safe to generate JWT tokens in an online tool?

Yes, when the tool runs entirely client-side. This generator uses the browser's Web Crypto API (crypto.subtle) for HMAC-SHA signing. Your secret key and payload data never leave your machine — no data is sent to any server. For production systems, always sign tokens on the server and never embed your signing secret in client-side JavaScript code.

JWT Generator

How to use the JWT generator

Common mistakes to avoid

Frequently Asked Questions

Related Tools