Developer Utilities · Free tool
JWT Generator
Create HS256/HS384/HS512-signed JWT tokens from a header, payload, and secret. Runs entirely in your browser.
Advertisement
What it does
JWT (JSON Web Token, RFC 7519) is the dominant token format for stateless web authentication and API authorization. A JWT consists of three Base64URL-encoded parts separated by dots: a header (declaring the signing algorithm and token type), a payload (the claims — sub for subject, exp for expiration, iat for issued-at, plus custom claims), and a signature (cryptographically signed digest of header + payload that lets the recipient verify the token wasn't tampered with). The output looks like “xxx.yyy.zzz” — a single string that can be passed in HTTP Authorization headers, cookies, or query strings.
The generator takes your header (typically{"alg": "HS256", "typ": "JWT"}), payload (your claims as a JSON object), and signing secret, and produces a properly-formatted JWT. Supported algorithms: HS256 (HMAC with SHA-256, the most common, uses shared secret), HS384, HS512 (longer hashes, same shared-secret model). For asymmetric signing (RS256, ES256), use a server-side library — shared-secret HMAC is appropriate when both signer and verifier are the same trust domain (e.g., your own backend issuing tokens for your own API).
Common JWT use cases: user authentication (server signs a JWT after login, client sends it on every subsequent request, server verifies signature without database lookup), API authorization (machine-to- machine tokens with specific scopes), single sign-on (one identity provider issues JWTs accepted by multiple services), and short-lived password reset / email verification tokens. Standard claims to include: sub (subject — user ID), iat (issued-at), exp (expiration — always set this; tokens valid forever are a security risk), aud (audience — which service should accept it), iss (issuer — which service signed it). Custom claims for your app: user roles, permissions, tenant ID. Don't put sensitive data in JWTs — they're base64-encoded, not encrypted; anyone with the token can read the payload.
Embed this tool on your siteShow snippetHide
Paste this snippet into any page. Loads on-demand (lazy), no tracking scripts, and sized to most dashboards. Replace the height to fit your layout.
<iframe src="https://freetoolarena.com/embed/jwt-generator" width="100%" height="720" frameborder="0" loading="lazy" title="JWT Generator" style="border:1px solid #e2e8f0;border-radius:12px;max-width:720px;"></iframe>How to use it
- Fill in or accept the default header (alg + typ).
- Write your payload as a JSON object — include sub, iat, exp at minimum.
- Enter a signing secret (32+ random bytes recommended for HS256).
- Pick algorithm (HS256 default for most cases).
- Click Generate — copy the resulting JWT.
- Test by pasting into jwt.io to verify it decodes correctly with your secret.
When to use this tool
- Testing JWT-based auth integrations during development.
- Generating sample tokens for API documentation or Postman collections.
- Quick token generation for ad-hoc API requests.
- Educational — understanding JWT structure by inspecting generated tokens.
- Mocking auth in test environments where you control both signer and verifier.
When not to use it
- Production token issuance — use a real auth library (jose, jsonwebtoken) or auth provider (Auth0, Clerk, Supabase Auth, AWS Cognito). Browser-based generation isn’t secure for production.
- Asymmetric signing (RS256, ES256) — that requires private keys which should never enter a browser tool. Use server-side libraries.
- Generating tokens with sensitive secrets — paste-in browser is fine for test secrets, dangerous for production secrets.
- Issuing tokens that need centralized revocation — JWTs are stateless; for revocation use opaque tokens or short-lived JWTs + refresh.
Common use cases
- Pre-decision sanity-check on inputs and outputs
- Educational use — demonstrating the underlying concept
- Onboarding a colleague who needs the same calculation/conversion
- Verifying a number or output before passing it on
Frequently asked questions
- What's the difference between HS256 and RS256?
- HS256 (HMAC with SHA-256) uses a shared secret — same string signs and verifies. Symmetric: simpler, faster, but anyone with the secret can both sign and verify. RS256 (RSA Signature with SHA-256) uses asymmetric keys — private key signs, public key verifies. Better for distributed systems where the issuer and verifier are different trust domains. Most consumer apps use HS256; large microservice deployments use RS256 with a JWKS endpoint.
- Are JWTs encrypted?
- No. JWTs are base64-encoded and signed (so tampering is detected), but the payload is plaintext readable by anyone holding the token. Don’t put passwords, SSN, or sensitive PII in JWTs. For encrypted tokens, use JWE (JSON Web Encryption, RFC 7516) — different specification, less commonly used.
- How long should tokens last?
- Short-lived: 15-60 minutes for access tokens (limits damage if stolen). Use refresh tokens (24 hours - 30 days) to silently get new access tokens without re-login. Email verification / password reset tokens: 15 minutes - 24 hours. API service-to-service tokens: 1 hour typical. Never issue tokens with no expiration; never set expiration over a year for any user-facing token.
- Is the secret in the JWT?
- No — the secret signs the token but is never included in the token itself. The token contains a signature (HMAC of header+payload using the secret), not the secret. The verifier needs to know the secret separately to recompute and compare signatures. This is critical: if you put the secret in the payload, anyone with the token can read it.
- What are the standard JWT claims?
- RFC 7519 defines: iss (issuer — who signed), sub (subject — user ID), aud (audience — intended recipient), exp (expiration time — Unix timestamp), nbf (not before — token not valid before this time), iat (issued at — Unix timestamp), jti (JWT ID — unique identifier for revocation tracking). Plus custom claims for your application (roles, permissions, tenant_id, etc.). Always set exp; usually set iat and sub.
- Can I revoke a JWT?
- Not directly — JWTs are stateless by design. To revoke, options: (1) keep a server-side blocklist of revoked tokens (defeats the stateless benefit), (2) use very short-lived JWTs + refresh tokens (revoke the refresh token, JWT expires soon naturally), (3) sign with a versioned key and rotate the key (invalidates all tokens). Most production deploys use option 2: 15-minute access tokens with refresh-token rotation.
Advertisement
Learn more
Guides about this topic
- Developers & Technical · GuideHow to check for password breachesLearn how k-anonymity breach checking works without sending your password. Free, online guide covers HIBP usage, email checks, and breach response steps.
- Using Our Tools · GuideHow to generate QR codesMake QR codes for URLs, WiFi, vCard, or text. Learn error correction and sizing, then generate your QR code online free with no sign-up in seconds.
- Using Our Tools · GuideHow to create a strong passwordGenerate a strong password instantly online for free. Build high-entropy passphrases following NIST 2026 rules with no download needed.
- Developers & Technical · GuideHow to encode and decode Base64Understand the 3-to-4 mechanic and 33% overhead for standard, URL-safe, and MIME Base64. Free online reference to avoid common mistakes, no download needed.
- Design & Media · GuideHow to choose a color paletteBuild accessible color palettes using HSL theory, monochromatic to triadic schemes, WCAG contrast checks, and dark mode tips. Free, no-download guide.
- Developers & Technical · GuideHow to use JWT tokens securelyImplement secure JWT authentication by choosing RS256, setting expiration, using httpOnly cookies, and preventing 'alg: none' attacks in your browser for free.
Explore more developer utilities tools
- Port Number LookupSearch over 140 well-known TCP and UDP ports by number or service name. Free online reference tool with no sign-up, covering web, mail, DNS, and more.
- Test Credit Card NumbersReference table of canonical test card numbers from Stripe, Adyen, and Braintree sandbox docs. Plus Luhn validator + network detector.
- IPv6 Expander & ShortenerFormat IPv6 addresses to canonical form, handling zone IDs and prefixes, instantly online—free tool with no registration required.
- Htpasswd GeneratorCreate .htpasswd lines for Apache or nginx basic auth with browser-only SHA hashing instantly. Includes config snippets and a free online tool with no registration.
- Chmod CalculatorCalculate Unix file permissions: octal (755, 644) ↔ symbolic (rwxr-xr-x) ↔ rwx checkboxes. Covers setuid, setgid, sticky bit. With presets.
- Excel Formula ExplainerPaste any formula and get a plain-English breakdown of 60+ functions online free—no sign-up required, in your browser.