ESC

JWT Generator & Decoder

Click "Generate JWT" to create your token...
HEADER
-
PAYLOAD
-
HEADER
-
PAYLOAD
-
All processing happens in your browser using Web Crypto API. No data is sent to any server. Never use real production secrets here.

Usage Examples

Basic User Token

A simple JWT with user identity claims. Perfect for learning JWT structure and basic authentication tokens.

API Auth Token

A complete API authentication token with issuer, audience, expiry, roles and all standard registered claims.

Service-to-Service Token

A short-lived HS512 token for secure service-to-service communication with strict time constraints.

Features

Multiple Algorithms

Support for HS256, HS384 and HS512 HMAC signing algorithms using Web Crypto API

Decode & Verify

Decode any JWT token to inspect header and payload, with optional signature verification

Color-Coded Output

JWT output with color-coded header, payload and signature parts for easy identification

Privacy First

All processing happens locally in your browser using Web Crypto API, no data sent to servers

How to Use?

1

Set Up Claims

Choose your algorithm, edit the payload JSON with your claims, and enter a secret key.

2

Generate Token

Click Generate JWT to create a signed token. The output shows color-coded header, payload and signature.

3

Decode & Verify

Switch to Decode tab to inspect any JWT token. Provide a secret key to verify the signature.

Frequently Asked Questions

A JWT is a compact, URL-safe token with three Base64url-encoded parts separated by dots: header.payload.signature. The header declares the algorithm (e.g. HS256). The payload carries claims — statements about the subject like user ID, roles, and expiry time. The signature verifies the token was not tampered with. Example: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

All three are HMAC-SHA variants — symmetric algorithms where the same secret key signs and verifies the token. The number refers to the SHA hash size: HS256 uses SHA-256 (32-byte output), HS384 uses SHA-384 (48-byte), HS512 uses SHA-512 (64-byte). HS256 is the default for most frameworks. Use HS512 for maximum security margin when performance allows.

Registered claims (IANA standard): sub (subject/user ID), iss (issuer - who issued the token), aud (audience - intended recipient), exp (expiry Unix timestamp), nbf (not before timestamp), iat (issued at timestamp), jti (unique token ID for revocation). Add custom claims for roles, permissions, and app-specific data. Avoid storing sensitive data like passwords in the payload — it is Base64url encoded, not encrypted.

Add an exp claim with a Unix timestamp value (seconds since epoch). Common values: now + 3600 (1 hour), now + 86400 (24 hours), now + 604800 (7 days). Use the Quick Claims buttons to insert standard fields. The Decode tab shows whether a token is expired or valid, and how long until expiry. An expired token should be rejected by your server even if the signature is valid.

HS256 is symmetric: the same secret key signs and verifies. RS256 is asymmetric: a private key signs the token, a public key verifies it. RS256 is better for multi-service architectures where verifiers should not be able to create tokens. This tool supports HS256/HS384/HS512 (symmetric) only. For RS256/ES256, you need a local tool with RSA/EC key pair support.

Yes. The Decode tab accepts any JWT string and shows the decoded header and payload. It also checks the exp claim and reports whether the token is expired. Signature verification requires the original secret — without it, you can read the payload but cannot confirm authenticity. Note: JWT payloads are Base64url encoded but NOT encrypted, so anyone with the token string can read the claims.

No. Even though everything runs entirely in your browser, treat this as a development and learning tool only. Production JWT secrets belong in environment variables or a secrets manager, never in a browser tool. Generate test tokens with throwaway secrets for learning, API testing, and debugging auth flows.

Nothing. All JWT signing and decoding runs in your browser using the Web Crypto API (HMAC-SHA). Zero network requests are made. You can disconnect from the internet and the tool works identically.

What Is JWT Generator?

A browser-based tool for creating and decoding JSON Web Tokens. Pick an algorithm, set your claims, enter a secret, and get a signed JWT with color-coded header, payload, and signature sections.

Generate & Decode

The Generate tab lets you build tokens with custom claims and expiry. The Decode tab inspects any JWT, checks expiration, and optionally verifies the signature if you provide the secret.

Who Needs This?

Backend devs testing auth flows, frontend devs inspecting tokens from an API, students learning how JWTs work -- anyone who touches token-based authentication during development.

Tips

Use the Quick Claims buttons to insert standard fields like iss, sub, and aud. Set an expiry so your test tokens behave realistically. The color-coded output makes it easy to spot each JWT section.

Privacy & Security

Signing uses the browser Web Crypto API with no server round-trips. Your secrets and tokens never leave your machine. Still, avoid pasting real production secrets in any browser tool.

Security and Privacy

Your data security is our priority

Local Processing

All processing happens in your browser

No Data Transfer

Your data is not sent to our servers

No Data Storage

No data is stored or shared

SSL Encryption

SSL encryption for secure connection

Next Step

Also on MoreOnlineTools