Is this JWT generator safe for real production secrets?

Use test secrets only. Everything runs in your browser and is not uploaded, but security best practice is to avoid pasting long-lived production credentials into any browser-based tooling.

What does the secret is base64 option do?

Some systems store HMAC secrets as base64 strings instead of plain text. Enable this option to decode the secret bytes before signing or verifying so signatures match backend behavior.

Can this tool generate RS256 or EdDSA tokens?

Not yet. This release focuses on HMAC algorithms (HS256/384/512) for symmetric signing. For asymmetric key workflows, use the JWT decoder and RSA key generator tools together.

Why does my generated token verify locally but fail on the backend?

Most mismatches come from secret encoding differences, algorithm mismatch, or claim validation rules. Ensure both sides use the same HS algorithm, decode base64 secrets consistently, and validate iss/aud/exp using matching clocks and expected values.

Should I include sensitive user data directly in JWT payload claims?

No. JWT payloads are encoded, not encrypted, so anyone with the token can decode claims. Store only identifiers or non-sensitive metadata, and keep confidential data on trusted backend systems guarded by access controls.

How can I test not-before and expiration behavior reliably?

Generate tokens with short expiration presets and explicit nbf offsets, then verify them with controlled times in your test harness. This helps confirm whether clients and APIs correctly reject expired tokens or tokens that are not yet valid.

JWT Generator (HS256/384/512)

Build standard claims, add custom JSON claims, sign JWTs with WebCrypto HMAC algorithms, and verify tokens immediately without sending secrets off-device.

Updated June 2026

Files never leave your browser

Security note: never paste production secrets. Signing and verification run entirely in your browser.

JWT Generator (HS256 / HS384 / HS512)

Algorithmkid (optional)

isssubaud

exp presetCustom exp minutesnbf minutes from now

Set iat to nowAdditional claims (JSON)

Signing secret

Secret is base64-encoded

How to use JWT Generator (HS256/384/512)

JWT Generator (HS256/384/512) creates signed JSON Web Tokens in your browser using WebCrypto HMAC, then immediately verifies the generated token with the same secret for round-trip confidence. The tool includes standard claim inputs, expiration presets, optional iat auto-fill, custom JSON claim merging, optional base64-secret decoding, and a second verification tab for pasted tokens. It is designed as a practical counterpart to the JWT decoder so you can build, inspect, and validate symmetric JWT flows end-to-end without external dependencies or server uploads.

Choose HS256, HS384, or HS512 and optionally set a kid value in the JWT header builder.
Fill standard claims (iss, sub, aud), pick an exp preset, and decide whether iat should auto-fill now.
Add extra claims in JSON form and enter your signing secret (optionally marked as base64 encoded).
Generate the token, copy header.payload.signature output, and review decoded header/payload previews.
Use the Verify tab to validate any HS token with a secret and inspect exp status immediately.

Your data never leaves your device — 100% private processing.

HS vs RS JWT signing models and trust boundaries

HMAC-based JWT algorithms (HS256/384/512) use a single shared secret for both signing and verification, which is simple and fast but requires every verifier to protect the same key material. Asymmetric algorithms such as RS256 separate responsibilities: a private key signs while a public key verifies, allowing many services to validate tokens without being able to mint them. This distinction matters for architecture and incident response. HS works well for tightly controlled systems, while RS/EdDSA are safer when validation happens across multiple independent services or partners where secret sharing would be risky.

Secret handling and operational safety for JWT tooling

Even in browser-only tools, secret hygiene is critical. Use temporary test secrets, rotate frequently, and avoid reusing production credentials in ad hoc debugging sessions. Base64-secret mode exists because some platforms store binary HMAC keys as encoded strings; decoding before signing ensures interoperability with backend validators. Also remember JWT payloads are readable by design, so avoid placing confidential data in claims and rely on short expirations plus issuer/audience checks. This generator keeps processing local, but operational discipline still determines whether your token workflows stay secure over time.

Worked examples

Generate a 1-hour token

Inputs: HS256, sub=123, exp preset 1h, secret test-secret

Result: Signed JWT + round-trip valid indicator + decoded payload preview

Verify an existing token

Inputs: Paste token + secret in Verify tab

Result: Shows valid/invalid signature and exp status active/expired/not yet valid

Glossary

HMAC: A symmetric message authentication method used by HS* JWT algorithms for signing and verification.
NumericDate: JWT timestamp format representing seconds since Unix epoch, used by exp, nbf, and iat claims.
base64url: URL-safe Base64 variant using - and _ with optional removed padding, used by JWT segments.
Round-trip verification: Immediate re-validation of a newly signed token with the same secret to confirm signature integrity.
kid: Header key identifier hint that helps verifiers choose the correct signing key.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use JWT Generator (HS256/384/512)?

Generates HS256, HS384, and HS512 tokens with browser-native WebCrypto (no external libraries)
Combines standard claims and extra JSON claims with predictable merge behavior for test fixtures
Supports base64-encoded HMAC secrets for environments that store key material in encoded form
Verifies generated or pasted JWTs and reports temporal status (expired, not yet valid, active)

Common use cases

Create short-lived test access tokens for local development and QA integration scenarios
Compare backend signature behavior by toggling plain-text versus base64-decoded secrets
Validate exp and nbf handling by generating tokens with different timing presets and offsets
Debug invalid signature incidents by pasting third-party tokens into the Verify tab with candidate secrets

Related Developer Tools

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) online. View header, payload, and expiry. 100% client-side — your token never leaves your browser.

HMAC Generator

Generate HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512 and a secret key. Uses the Web Crypto API. Free and private.

Webhook Signature Verifier

Verify Stripe, GitHub, Shopify, Slack, and generic HMAC webhook signatures with timestamp tolerance checks entirely in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

Explore all Developer Tools.