Skip to main content
lab.golamrabbani.org

JWT Generator

Sign HS256/384/512 JSON Web Tokens in your browser with a custom payload.

Written by Golam Rabbani, Founder & Lead Engineer

Generates HMAC-signed JWTs (HS256, HS384, HS512) using your browser's Web Crypto API. The secret never leaves the page. Use a sufficiently long, random secret for real systems.

Standard claims: sub, iss, aud, iat. Add your own. `exp` is auto-set from Expires-in below.

UTF-8 string. Used as the raw HMAC key.

Leave blank to omit the `exp` claim. e.g. 3600 = 1 hour.

How to use this jwt generator

  1. Pick an HMAC algorithm — HS256, HS384, or HS512.
  2. Edit the JSON payload to include the claims you need (sub, name, role, custom fields).
  3. Enter a secret. For real systems use a long, random, high-entropy string.
  4. Optionally set "Expires in (seconds)" — leave blank to omit the `exp` claim, or set 3600 for one hour.
  5. Press Generate JWT, then click Copy token to use the signed token in tests or local development.

About this jwt generator

This JWT generator produces real HMAC-signed JSON Web Tokens (RFC 7519) using your browser's native Web Crypto API. It builds the three dot-separated segments of the token: a header containing the algorithm and type, a payload containing your JSON claims, and an HMAC-SHA signature computed over `header.payload` with your secret as the key. Both segments are base64url-encoded as the spec requires. Nothing is sent to a server — the secret and payload both stay in your browser tab.

For example, with algorithm HS256, payload {"sub":"user_123","name":"Ada Lovelace","iat":1716840000}, secret "demo-secret-please-change", and Expires-in 3600, the tool sets `exp` to `iat + 3600` and emits a token like "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsIm5hbWUiOiJBZGEgTG92ZWxhY2UiLCJpYXQiOjE3MTY4NDAwMDAsImV4cCI6MTcxNjg0MzYwMH0.<base64url-signature>". The token is suitable for local development, end-to-end test fixtures, and debugging auth flows. RSA (RS256/384/512) and ECDSA (ES256/384/512) are not offered here because RSA key generation in-browser is too slow for an interactive tool — use a server-side script for those.

FAQ

Which algorithms does the generator support?
HS256, HS384, and HS512 — all three HMAC variants in RFC 7518. They use SHA-256, SHA-384, and SHA-512 respectively, with your secret as the raw HMAC key.
What about RS256, ES256, or other asymmetric algorithms?
Not in this tool. Browser-side RSA key generation is slow and asymmetric keys are usually managed server-side anyway. For RS256/ES256 use a backend library (jsonwebtoken, PyJWT, jose).
Is the secret sent anywhere?
No. The secret is converted to bytes and passed to crypto.subtle.importKey + crypto.subtle.sign entirely in your browser. Nothing leaves the page.
How does the `exp` claim work?
If you enter "3600" the tool sets exp = current Unix time + 3600 seconds (one hour from now). Leave the field blank to omit the claim, in which case the token never expires.
Should I use this for production tokens?
No. Issue production tokens from your trusted backend, where you control secret rotation, expiry policy, and audit logging. This generator is for local development, debugging, and test fixtures.
Can I customise the header?
The header is fixed to `{alg, typ:"JWT"}` because adding arbitrary header fields (like custom `kid` values) is rarely needed for hand-crafted test tokens. If you need a custom header, generate the token here and rebuild the header yourself before re-signing.