Quick Tip: Set alg to "HS256" in the header. Add exp as a Unix timestamp (e.g. current time + 3600) for a 1-hour token.

Development & Testing Only. Never paste real production secrets into any online tool. This encoder is for generating mock tokens for local development and learning purposes only.

Header (JSON)

Payload / Claims (JSON)

Secret Key (HS256)

For HS256, use a random string of at least 32 characters. In production, store secrets in environment variables — never hard-code them.

Generated JWT

Fill in the header, payload, and secret, then click Generate JWT.

What's Next?

JWT Decoder

Inspect the token you just generated

JSON Validator

Validate header & payload JSON

JSON Indenter

Format & prettify payload JSON

JSON to TypeScript

Type-safe payload interfaces

JSON to Pydantic

Python models for JWT claims

JSON to Zod

Validate decoded JWT payload at runtime

JSON to Schema

Generate schema from claims structure

JSON Path Tester

Query JWT claim values with JSONPath

JSON Diff

Compare JWT payloads side by side

JWT Encoder Online — Generate JSON Web Tokens in Your Browser

Create and sign JSON Web Tokens (JWTs) directly in your browser using HS256 (HMAC-SHA256). Provide a JSON header, JSON payload, and a secret key — the encoder uses the Web Crypto API (SubtleCrypto) for cryptographically secure signing. No data is ever uploaded. Perfect for testing authentication flows, generating mock tokens for development, and learning JWT structure hands-on.

Browser-Native Crypto: Uses crypto.subtle.sign() — the same API used in production web apps.
HS256 Signing: HMAC-SHA256 is the most widely supported JWT algorithm, used by Auth0, Firebase, and most backend frameworks.
Zero Dependencies: No external library — runs in any modern browser without installing anything.
Dev & Test Ready: Instantly generate test tokens for local development, Postman collections, and integration test fixtures.

⚠️ Never use real production secrets in any online tool. Use this encoder only with test secrets for development and learning purposes.

How JWT Signing Works: The HS256 Algorithm

HS256 (HMAC with SHA-256) is a symmetric signing algorithm — a single secret key is used both to sign and to verify the token. Here's exactly what the JWT encoder does when you click "Generate":

Serialize the header and payload objects to JSON strings.
Base64URL-encode both strings: encodedHeader and encodedPayload.
Concatenate them with a dot: signingInput = encodedHeader + "." + encodedPayload.
Compute HMAC-SHA256(signingInput, secret) using SubtleCrypto.
Base64URL-encode the 32-byte signature digest.
Return the final JWT: encodedHeader.encodedPayload.signature.

The resulting token can be verified by any JWT library that knows the same secret — jsonwebtoken in Node.js, PyJWT in Python, or the golang-jwt package in Go.

JWT Encoder in Code: Node.js, Python & Java

Use these battle-tested libraries to generate JWTs programmatically in your application backend:

Node.js (jsonwebtoken)

const jwt = require('jsonwebtoken');

const token = jwt.sign(
  {
    sub: 'user_123',
    name: 'Jane Doe',
    roles: ['admin'],
  },
  process.env.JWT_SECRET,
  {
    algorithm: 'HS256',
    expiresIn: '1h',
  }
);

Python (PyJWT)

import jwt
import time

payload = {
    "sub": "user_123",
    "name": "Jane Doe",
    "roles": ["admin"],
    "iat": int(time.time()),
    "exp": int(time.time()) + 3600,
}

token = jwt.encode(
    payload,
    os.environ["JWT_SECRET"],
    algorithm="HS256",
)

Java (jjwt)

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

String token = Jwts.builder()
  .setSubject("user_123")
  .claim("name", "Jane Doe")
  .claim("roles", List.of("admin"))
  .setIssuedAt(new Date())
  .setExpiration(
    new Date(
      System.currentTimeMillis()
      + 3_600_000
    )
  )
  .signWith(SignatureAlgorithm.HS256,
    secretBytes)
  .compact();

JWT Claims Design: What to Put in the Payload

Designing a good JWT payload is critical for security and performance. Here are the key principles for JWT token generation in production systems:

Always set exp: Tokens without an expiration are active until the key is rotated. Use short-lived tokens (15–60 minutes) with refresh token rotation for user sessions.
Keep payloads small: JWTs are attached to every request. Large payloads increase bandwidth. Include only the claims your application actually reads — typically sub, roles, and a few custom claims.
Never include sensitive data: Passwords, credit card numbers, SSNs, or any PII have no place in a JWT payload — the payload is only Base64URL-encoded, not encrypted.
Use jti for one-time tokens: Include a unique JWT ID claim to enable token blacklisting and prevent replay attacks in high-security flows.
Scope-based authorization: Following OAuth 2.0 patterns, store permissions as a scope string ("read:users write:posts") or a roles array for RBAC systems.

RS256 vs HS256: Choosing the Right JWT Algorithm

The choice between symmetric (HS256) and asymmetric (RS256 / ES256) signing algorithms is architectural. Our online JWT generator supports HS256 — the right choice for many use cases:

HS256 — Use When:

A single backend service both issues and verifies tokens
All microservices share the same secret securely (e.g., via Vault or AWS Secrets Manager)
You need maximum performance (HMAC is faster than RSA)
Building an internal API, CLI tool, or prototype

RS256 / ES256 — Use When:

Multiple services verify tokens but only one service should issue them
Publishing a JWKS endpoint (/.well-known/jwks.json) for third-party verification
Building a public OAuth / OIDC authorization server
Compliance requirements mandate asymmetric signing (FAPI, OpenBanking)

JWT Encoder Quick Reference

Standard Header Fields

{
  "alg": "HS256",   // Signing algorithm
  "typ": "JWT",     // Token type
  "kid": "key-1"    // Key ID (optional,
                    // for key rotation)
}

Set alg to "HS256" to use this encoder. Other algorithms (RS256, ES256) require a private key and are best generated server-side.

Example Payload Templates

API Access Token

{ "sub":"u_123", "scope":"read write",
  "iat":1710000000, "exp":1710003600 }

OIDC ID Token

{ "iss":"https://auth.example.com",
  "sub":"u_123", "aud":"client_id",
  "email":"[email protected]",
  "iat":1710000000, "exp":1710086400 }

Service-to-Service Token

{ "iss":"billing-service",
  "aud":"inventory-service",
  "jti":"uuid-here",
  "iat":1710000000, "exp":1710000300 }

JWT Encoder vs JWT Decoder — When to Use Each

Debugging Auth

Use the JWT Decoder to inspect tokens from your auth provider — check expiry, claims, and algorithm without touching your backend.

Testing APIs

Use the JWT Encoder to generate mock tokens with specific claims (roles, scopes, expiry) for Postman, curl, or automated test suites.

Learning JWT

Use both tools together — encode a token, then decode it — to understand the full Base64URL encoding and HMAC signing pipeline hands-on.

Frequently Asked Questions

Is my data safe with this JSON tool?

Yes. This tool uses 100% client-side processing. Your JSON data never leaves your browser and is never sent to our servers, ensuring maximum privacy and security.

Does this tool work offline?

Once the page has loaded, all processing happens locally in your browser. You can disconnect from the internet and the tool will continue to work — no server connection is required to format, validate, or convert your JSON.

Is there a file size limit?

No server-side limits apply because everything runs in your browser. Practical limits depend on your device's memory, but modern browsers handle JSON files of tens of megabytes without issue.

What algorithm does this JWT encoder use?

This encoder uses HS256 (HMAC-SHA256) — the most widely supported JWT signing algorithm. It uses the browser's built-in Web Crypto API (crypto.subtle.sign) for cryptographically secure signing. The signing happens entirely in your browser, no data is sent to a server.

Can I use this JWT encoder in production?

This tool is designed for development, testing, and learning. NEVER paste real production secrets into any online tool. For production JWT generation, use server-side libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt in a secure backend environment where secrets are managed via environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault).

Why only HS256? What about RS256 and ES256?

HS256 (HMAC-SHA256) requires only a shared secret, which the Web Crypto API handles natively. RS256 and ES256 require generating RSA or EC key pairs, which is more complex for a browser-based tool and those private keys should absolutely never leave your server. Use the JWT Encoder for HS256 testing; generate RS256/ES256 tokens with your backend toolchain.

How do I set the expiration in the JWT payload?

Add an "exp" field with a Unix timestamp (seconds since epoch). For example, Math.floor(Date.now() / 1000) + 3600 gives a token that expires in 1 hour. The default payload in this encoder already includes an exp set to 1 hour from now. Update it as needed.

How do I verify the generated JWT token?

Paste the generated token into our JWT Decoder to inspect the claims. To cryptographically verify the signature, use a server-side library with the same secret you used to sign it: jwt.verify(token, secret) in Node.js, or jwt.decode(token, secret, algorithms=["HS256"]) in Python.