JWT Generator

Create and sign JSON Web Tokens with custom payloads and HMAC signatures

Presets:

Header & Signing

Standard Claims

Custom Claims

Encoded Token

Signing is only available in the browser.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJvbmRldnRvb2xzLmNvbSIsInN1YiI6IjEyMzQ1Njc4OTAiLCJleHAiOjE3Nzc4MTIxMTcsImlhdCI6MTc3NzgwODUxNywibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.

Decoded Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Payload

{
  "iss": "ondevtools.com",
  "sub": "1234567890",
  "exp": 1777812117,
  "iat": 1777808517,
  "name": "John Doe",
  "admin": true
}

How to generate JWT tokens online?

Generate and sign JSON Web Tokens with custom payloads using our free JWT generator. Supports HMAC algorithms (HS256, HS384, HS512) with browser-based signing via the Web Crypto API. Build tokens with standard claims, custom data, and preset templates.

Features

  • HMAC signing with HS256, HS384, and HS512 using the Web Crypto API
  • Editable standard JWT claims: iss, sub, aud, exp, iat, nbf, jti
  • Add unlimited custom claims with automatic type detection
  • Preset templates for API auth, user session, and service-to-service tokens
  • Live decoded header and payload preview in pretty-print JSON

How to use

  1. Select an algorithm and enter your secret key (HMAC) or choose a preset template.
  2. Enable and fill in the standard claims you need, then add any custom claims.
  3. Click Generate to create the signed token, then copy it to your clipboard.

Tips & Best Practices

  • All processing happens locally in your browser — your data never leaves your device.
  • Never share sensitive tokens or passwords in unencrypted channels.
  • Regularly rotate your secrets, keys, and passwords for better security.
  • Use strong, unique values for each service or application.
  • Verify the output before using it in production environments.

FAQ

What algorithms does this JWT generator support?

The tool supports five algorithms: HS256, HS384, and HS512 for HMAC-based signing, plus RS256 and ES256 for display purposes. Browser-based signing is fully supported for all three HMAC variants using the Web Crypto API.

Is my secret key sent to any server?

No. All signing and encoding happens entirely in your browser using the Web Crypto API. Your secret key, payload data, and the generated token never leave your device.

What are standard JWT claims like iss, sub, and exp?

These are registered claim names defined in RFC 7519. 'iss' identifies the issuer, 'sub' identifies the subject, 'exp' sets the expiration time, 'iat' records when the token was issued, 'aud' specifies the intended audience, 'nbf' defines the earliest valid time, and 'jti' is a unique identifier.

Can I add custom claims to the JWT payload?

Yes. Use the Custom Claims section to add as many key-value pairs as you need. The tool automatically detects value types: numbers, booleans, JSON arrays, and JSON objects are parsed accordingly.

Why can I not sign tokens with RS256 or ES256?

RS256 and ES256 require an RSA or ECDSA private key respectively. Handling private keys securely in a browser is impractical for a general-purpose tool. For asymmetric algorithms, generate keys locally using OpenSSL and sign with a CLI tool or library.

How is the expiration time calculated?

If you leave the exp field empty and enable it, the tool automatically sets the expiration to one hour from the current time. You can also enter a specific Unix timestamp. The iat (issued at) field defaults to the current time.

Related Tools

Password GeneratorHash GeneratorJWT Decoder & VerifierSecurity Headers CheckerSSL Certificate AnalyzerGDPR Compliance CheckerPassword Strength CheckerTOTP QR GeneratorSecure Note SharerFile Hash VerifierCSP Header GeneratorText Encrypt/DecryptIP Address FinderCSV Cleaner & NormalizerMarkdown PreviewerResponsive Design TesterAPI Rate Limiting CalculatorXML ⇄ JSON Converter