EncryptCodecencryptcodec
Tools/JWT Sign

JWT Generator & Signer

Create and sign JSON Web Tokens with HS256, HS384, or HS512 using the Web Crypto API. Set expiry, add custom claims, and copy the signed JWT instantly.

All processing happens in your browser — nothing is sent to our servers

HS256 vs HS384 vs HS512

All three are HMAC-based algorithms. HS256 is the most widely supported and sufficient for most applications. HS384 / HS512 produce larger signatures — useful when you need additional collision resistance or are matching a specific compliance requirement. For asymmetric signing (RS256, ES256), you need a key pair — use your backend, not this browser tool. Never use this tool in production with real secrets — it's for development, testing, and learning only.

How it works
JWT Generation and Signing (HMAC)
01Header

{"alg":"HS256","typ":"JWT"} — specifies the signing algorithm — Base64url encoded

02Payload

Claims JSON (sub, iat, exp, custom fields) — Base64url encoded

03Signing input

Base64url(header) + '.' + Base64url(payload) — the exact bytes that are signed

04HMAC-SHA256

HMAC-SHA256(signing_input, secret) — keyed hash proves the token was issued by a party holding the secret

05JWT output

header.payload.Base64url(signature) — compact, URL-safe, self-contained token

Spec: RFC 7519 (JWT), RFC 7515 (JWS), RFC 2104 (HMAC)

HMAC-based JWTs use the same secret for signing and verification — any service with the secret can forge tokens. For multi-service architectures, prefer RSA (RS256) or EC (ES256) where only one service signs.

Frequently Asked Questions

Keep learning

JWT Heist
Test your JWT knowledge in a game
Game
JWT Forgery Simulation
Learn JWT attacks hands-on
Simulation
RS256 vs HS256
Which signing algorithm should you use?
Guide