JWT Generator (HS256)
Paste a JSON payload and a secret to create a signed HS256 JSON Web Token. The token is signed in your browser with HMAC-SHA256 and nothing is sent to a server. Use it to build test and development tokens.
How to generate a JWT
- Enter your claims as JSON in the payload box (for example sub, name and iat).
- Type the HMAC secret used to sign the token, then click Generate token.
- Copy the resulting header.payload.signature token.
Examples
Standard HS256 token
payload {"sub":"1234567890","name":"John Doe","iat":1516239022}, secret "your-256-bit-secret"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Token with a role claim
payload {"role":"admin","exp":1700000000}, secret "test-secret"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJleHAiOjE3MDAwMDAwMDB9.<signature>
Frequently asked questions
What is HS256?
HS256 stands for HMAC with SHA-256. It is a symmetric signing algorithm: the same secret signs the token and later verifies it. The signature is computed over the base64url header and payload, so any change to either invalidates the token.
Is my secret or payload sent anywhere?
No. The token is signed entirely in your browser using the Web Crypto API. Your payload and secret never leave the page and are not sent to a server or logged anywhere.
Should I use a real production secret here?
No. Even though signing is local, you should never paste a real production signing secret into any online tool. Use this generator for test and development tokens, and keep production secrets in your own backend.
What does a generated JWT look like?
It is three base64url strings joined by dots in the form header.payload.signature. The header names the algorithm (HS256) and type (JWT), the payload holds your claims, and the signature is the HMAC-SHA256 of header.payload using your secret.
Why is the same payload and secret always the same token?
HS256 signing is deterministic. With the same header, payload and secret the base64url segments and the HMAC are identical, so you get the exact same token every time. Changing the secret only changes the signature segment.
Is the payload encrypted?
No. A signed JWT is encoded, not encrypted. Anyone with the token can base64url-decode the payload and read every claim, so never put passwords or other secrets in the payload.
Related tools
JWT Decoder
Decode a JSON Web Token to read its header and payload claims. Shows exp, iat and nbf as dates. Runs in your browser. No signature check.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
.env to JSON
Convert a .env file to JSON, or JSON back to .env. Parses KEY=value lines, comments, quotes and export. Runs entirely in your browser.
Aspect Ratio Calculator
Calculate aspect ratios fast. Enter a ratio like 16:9 and one dimension to get the other, or enter width and height to simplify the ratio.
Base58 Encoder
Encode and decode Base58 online with the Bitcoin alphabet. Convert text to Base58 or back, UTF-8 safe, no confusing 0 O I l. Runs in your browser.
Base64 Decode
Decode Base64 to plain text online. Paste a Base64 or base64url string and get instant UTF-8 output. Free, fast and runs in your browser.