JWT Generator

A JWT is a compact, URL-safe token defined by RFC 7519 for securely transmitting claims between two parties. It has three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims like iss, sub, exp, iat), and the Signature (HMAC or RSA signature of the header and payload). JWTs are widely used in OAuth 2.0, OpenID Connect, and stateless API authentication.

The exp claim is a Unix timestamp (seconds since epoch) indicating when the token expires. To expire in 1 hour, set exp to the current time plus 3600. Common companion claims include iat (issued at — when the token was created) and nbf (not before — the token is invalid before this time). Use the quick buttons above to auto-fill these values.

Yes, when the tool runs entirely client-side. This generator uses the browser's Web Crypto API (crypto.subtle) for HMAC-SHA signing. Your secret key and payload data never leave your machine — no data is sent to any server. For production systems, always sign tokens on the server and never embed your signing secret in client-side JavaScript code.