A JWT generator builds and cryptographically signs JSON Web Tokens for testing authentication flows, debugging JWT-based APIs, and learning how token-based auth works. Select an HMAC algorithm, add standard and custom claims, enter a secret key, and get a signed JWT instantly — all in your browser using the Web Crypto API.
Header
Standard Claims (Payload)
Custom Claims
Signature
Use a strong random secret in production. Never expose your real secret key.
Encoded Token
How to Use the JWT Generator
JSON Web Tokens are the standard mechanism for stateless authentication in web applications and APIs. Our free JWT generator lets you build, sign, and inspect JWTs for development and testing, using the Web Crypto API for cryptographically secure HMAC signing — all in your browser.
Step 1: Choose the Algorithm
Select HS256, HS384, or HS512 from the Algorithm dropdown. HS256 (HMAC with SHA-256) is the most widely used default and is compatible with virtually all JWT libraries. Use HS384 or HS512 if you need a stronger signature for higher-security applications.
Step 2: Add Standard Claims
Fill in the standard JWT registered claims: iss (issuer) identifies your application, sub (subject) identifies the user or entity, aud (audience) specifies the intended consumer, and exp sets how long until the token expires. The iat (issued at) claim is automatically added with the current timestamp. All standard claims are optional.
Step 3: Add Custom Claims
Click "Add field" to add custom key-value pairs to the payload. This is where you put application-specific data like user roles (role: "admin"), user IDs, permissions, subscription tiers, or any other data your API needs to decode from the token without a database lookup.
Step 4: Enter Your Secret Key and Generate
Type your secret key in the Signature section. For testing, any string works. In production, use a cryptographically random secret of at least 256 bits. Click "Generate JWT" to create the signed token. The encoded JWT appears at the top of the output panel, along with a color-coded preview of the decoded header and payload sections.
Step 5: Copy and Use the Token
Click Copy to place the JWT on your clipboard. You can use it in API requests as a Bearer token in the Authorization header (Authorization: Bearer <token>), test it in our JWT Decoder tool, or use it in Postman, Insomnia, or any HTTP client.
FAQ
Is the JWT generator free?
Yes, completely free with no account required. JWT signing uses the Web Crypto API built into your browser — no data is sent to any server.
Is it safe to generate JWTs in a browser?
For development and testing purposes, yes. The tool uses the Web Crypto API for HMAC signing, which runs entirely in your browser. Never share a secret key you use in production — this tool is designed for building test tokens, debugging JWT flows, and learning how JWTs work.
What is the difference between HS256, HS384, and HS512?
All three are HMAC algorithms that sign JWTs with a shared secret key. HS256 uses SHA-256 (256-bit hash), HS384 uses SHA-384, and HS512 uses SHA-512. Higher numbers produce longer, stronger signatures at a slight computational cost. HS256 is the most widely used default.
What are standard JWT claims (iss, sub, aud, exp, iat)?
Standard registered claims are predefined keys with specific meanings: iss (issuer) identifies who issued the token, sub (subject) identifies the token's subject, aud (audience) specifies recipients, exp (expiration) is a Unix timestamp when the token expires, and iat (issued at) is when the token was created. These are optional but standardized.
Can I add custom claims to my JWT?
Yes. Use the custom payload fields section to add any key-value pairs. Custom claims can hold user roles, permissions, user IDs, or any other data your application needs. They are included in the payload alongside standard claims.
Can I verify a JWT generated by this tool?
Yes. Use our JWT Decoder tool to decode and inspect the token. For signature verification, you can use libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt with the same secret key you used to sign it. The encoded token and the secret key together are all you need for verification.