Supports HMAC algorithms (HS256/384/512). RS/ES tokens require a private key and are not generated here.
Signing runs locally with the Web Crypto API — your payload and secret never leave your browser.
Generate and sign JSON Web Tokens (HS256/384/512) online, free. A JSON Web Token (JWT, RFC 7519) is a compact, URL-safe credential made of three Base64URL parts — header.payload.signature. This encoder takes your JSON claims and a secret, Base64URL-encodes the header and payload, and signs them with HMAC (HS256, HS384 or HS512) using the browser's Web Crypto API, producing a complete, verifiable token without your secret ever leaving the page.
Signing runs 100% client-side with the Web Crypto API (SubtleCrypto.sign) — your payload and secret are never uploaded, which matters because the secret can mint valid tokens for your system. 100% free, no registration, and complete privacy — everything runs locally in your browser, so your data never touches a server.
Generate a signed token using HS256, HS384 or HS512 — the symmetric algorithms used by most APIs for service-to-service tokens.
Type any JSON payload — registered claims like sub, iat and exp plus your own custom fields — and the token rebuilds on demand.
Header and payload are Base64URL-encoded (not standard Base64), with padding stripped, exactly as the JWT spec requires.
Your payload and signing secret are processed locally via Web Crypto; nothing is sent to a server, so it is safe for real keys.
It assembles a JSON Web Token from your claims and a secret: it Base64URL-encodes a header ({"alg":"HS256","typ":"JWT"}) and your JSON payload, joins them with a dot, then signs that string with HMAC and appends the Base64URL signature — producing the standard header.payload.signature token.
This tool signs with the HMAC family — HS256, HS384 and HS512 — which use a single shared secret. RS256/ES256 and other asymmetric algorithms require a private key and a different signing flow, so they are intentionally not generated here.
Yes. It generates signed HS256/384/512 tokens for free with no signup, and unlike pasting a secret into a hosted debugger, the signing happens entirely in your browser so your secret never reaches a server.
No. A JWT is signed, not encrypted — the header and payload are only Base64URL-encoded, so anyone with the token can read them. Never put passwords, secrets, or sensitive personal data in the payload.
Add an exp claim to the payload as a Unix timestamp (seconds since 1970). For example, "exp": 1893456000. Verifiers reject the token once the current time passes exp; you can also add nbf (not-before) and iat (issued-at).
Yes — the secret is used locally by the Web Crypto API and never transmitted or stored. Because the secret can create valid tokens, only ever enter it into tools whose client-side, no-upload behavior you can confirm, as this one is.
We use cookies for analytics and personalized ads to help keep these tools free. Until you accept, ads stay non-personalized and analytics cookies are off. See our Privacy Policy.