🔑

JWT Generator Online — Create & Sign JWT Tokens

Decode · Inspect · Verify · Generate JSON Web Tokens — expiry countdown, security warnings, HS256 verify — 100% browser-side

Ctrl+Enter = Re-decode
JWT TOKEN INPUT
0 B
🔑
Paste a JWT to decode
Supports HS256 · RS256 · ES256 · All JWT types
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy output1 Decoded2 Raw3 VerifyP Pin
💡

Generate real, cryptographically signed JWT tokens directly in your browser using the Web Cryptography API (SubtleCrypto). This tool supports HS256 signing — paste your custom header JSON, payload JSON, and secret key to create a production-valid JWT token. Useful for testing APIs, writing unit tests, building auth flows, and understanding how JWT signing works without setting up a server.

📌 Generate HS256 JWT
Header: {"alg":"HS256","typ":"JWT"} · Payload: {"sub":"123","name":"Raj","exp":9999999999} · Secret: my-secret
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiUmFqIiwiZXhwIjo5OTk5OTk5OTk5fQ.{valid_hs256_signature}

What is a JWT Decoder?

A JWT Decoder reads a JSON Web Token and displays its three parts in human-readable format. Every JWT contains a Header (algorithm & type), a Payload (claims — user data, expiry, issuer), and a Signature. This tool decodes all three instantly, shows expiry status with a live countdown timer, highlights standard claims with labels, detects security issues like alg:none, and supports HS256/HS384/HS512 signature verification using the browser Web Crypto API.

JWT Structure — How It Works

A JWT looks like xxxxx.yyyyy.zzzzz — three Base64URL-encoded strings joined by dots. The header and payload are readable by anyone; the signature is what proves authenticity. Only the party holding the secret or public key can verify the signature. This means JWTs should never contain sensitive data like passwords.

Frequently Asked Questions

Is this generator safe for production tokens?

Yes — signing uses the browser's native SubtleCrypto API (window.crypto.subtle), the same API used by production applications. Your secret never leaves the browser. However, this tool is primarily for testing and development — in production, generate tokens on your server using a vetted library like jose or jsonwebtoken.

Why does the generator only support HS256?

RS256 and ES256 require a private key (PEM format) for signing. Handling private keys in a browser tool is a security concern. HS256 with a strong random secret is sufficient for most testing scenarios. For RS256 generation, use openssl or a server-side library — the signing should happen in a secure environment.

How do I set JWT expiry when generating?

Add an "exp" field to your payload with a Unix timestamp: Math.floor(Date.now() / 1000) + 3600 = current time + 1 hour. Example payload: {"sub":"user_123","exp":1773464287}. The exp value must be in seconds, not milliseconds.

How do I test my API with the generated JWT?

Copy the generated token and use it in your API requests: curl -H "Authorization: Bearer <token>" https://api.example.com/endpoint. In Postman: Authorization tab → Bearer Token → paste token. In JavaScript: fetch(url, { headers: { Authorization: "Bearer " + token } }).

What makes a strong HS256 secret?

Use a cryptographically random secret of at least 256 bits (32 bytes): in Node.js: require("crypto").randomBytes(32).toString("hex"). Never use simple strings like "secret" or "password" — they're brute-forceable. The secret should be stored in environment variables, never hardcoded. Rotate secrets periodically.