How do I generate a JWT token?

Select an algorithm (HS256, HS384, or HS512), enter or generate a secret key, customize the payload JSON with your claims (sub, name, email, exp, etc.), and click "Generate JWT." The tool creates a three-part token (header.payload.signature) that you can copy and use for testing or development.

What JWT algorithms are supported?

This tool supports HMAC algorithms: HS256 (SHA-256), HS384 (SHA-384), and HS512 (SHA-512). These are symmetric algorithms that use a secret key for both signing and verification. For asymmetric algorithms like RS256 (RSA) or ES256 (ECDSA), use backend JWT libraries that support public/private key pairs.

What should I put in the JWT payload?

The payload contains claims (data) about the user or session. Standard claims include: sub (subject/user ID), iat (issued at timestamp), exp (expiration timestamp), aud (audience), iss (issuer), name, email, and role. Use the presets for common patterns like authentication tokens, API access tokens, or session tokens. Always include exp to prevent token reuse.

How do I set JWT expiration time?

Add an exp claim with a Unix timestamp (seconds since Jan 1, 1970). Calculate it as current time + duration in seconds. For 1 hour: Math.floor(Date.now() / 1000) + 3600. For 24 hours: + 86400. For 7 days: + 604800. The presets automatically set appropriate expiration times (1 hour for auth, 24 hours for API, 30 minutes for sessions).

Is this tool safe for production use?

No, this is a development and testing tool only. It uses client-side hashing, which is not cryptographically secure for production JWTs. For production, use server-side JWT libraries like jsonwebtoken (Node.js), PyJWT (Python), jose (Go), or java-jwt (Java) that implement proper HMAC signing. Never expose secret keys in client-side code.

How long should my secret key be?

For HS256, use at least 256 bits (32 characters). For HS384, use 384 bits (48 characters). For HS512, use 512 bits (64 characters). The tool generates secure 32-character keys with random alphanumeric and special characters. Store secret keys securely using environment variables or secrets management systems. Never commit keys to version control.

Back

JWT Token Generator

A JWT (JSON Web Token) generator creates signed tokens for authentication and API authorization. JWTs consist of three Base64URL-encoded parts: header (algorithm and type), payload (claims like sub, exp, iat), and signature (HMAC hash using secret key). To generate: select algorithm (HS256, HS384, or HS512), provide secret key (32+ characters recommended), define payload claims in JSON format, and the tool creates a signed token. Common use cases: user authentication sessions, API access tokens, OAuth 2.0 bearer tokens, stateless authorization. Always set exp (expiration) claim to prevent token reuse. For production, use server-side JWT libraries with proper HMAC or RSA signing.

Generate JWT (JSON Web Token) tokens online for testing and development. Create JWTs with custom payload, select HMAC algorithm (HS256/HS384/HS512), and use your secret key. Includes presets for auth, API access, and sessions.

Works OfflineDark ModeNo Ads

JWT Token Generator

Algorithm

HMAC with SHA-256, SHA-384, or SHA-512

Secret Key

Keep this secret safe! Use a strong, random key in production.

Payload Presets

Payload (JSON)

Standard claims: sub (subject), iat (issued at), exp (expiration), aud (audience), iss (issuer)

About JWT Tokens

What is a JWT? A JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature.

Use Cases: Authentication (login sessions), API authorization, secure data exchange, single sign-on (SSO), and stateless authentication in microservices.

Security Note: This tool generates JWTs for development and testing purposes using client-side hashing. For production systems, use a proper JWT library (jsonwebtoken, jose, etc.) with HMAC signing on your backend. Never expose secret keys in client-side code.

Common Claims: sub (subject/user ID), iat (issued at timestamp), exp (expiration timestamp), aud (audience), iss (issuer), jti (JWT ID). Exp claim should use Unix timestamp format.

How to Use

Enter your value in the input field
Click the Calculate/Convert button
Copy the result to your clipboard

Frequently Asked Questions

How do I generate a JWT token?: Select an algorithm (HS256, HS384, or HS512), enter or generate a secret key, customize the payload JSON with your claims (sub, name, email, exp, etc.), and click "Generate JWT." The tool creates a three-part token (header.payload.signature) that you can copy and use for testing or development.
What JWT algorithms are supported?: This tool supports HMAC algorithms: HS256 (SHA-256), HS384 (SHA-384), and HS512 (SHA-512). These are symmetric algorithms that use a secret key for both signing and verification. For asymmetric algorithms like RS256 (RSA) or ES256 (ECDSA), use backend JWT libraries that support public/private key pairs.
What should I put in the JWT payload?: The payload contains claims (data) about the user or session. Standard claims include: sub (subject/user ID), iat (issued at timestamp), exp (expiration timestamp), aud (audience), iss (issuer), name, email, and role. Use the presets for common patterns like authentication tokens, API access tokens, or session tokens. Always include exp to prevent token reuse.
How do I set JWT expiration time?: Add an exp claim with a Unix timestamp (seconds since Jan 1, 1970). Calculate it as current time + duration in seconds. For 1 hour: Math.floor(Date.now() / 1000) + 3600. For 24 hours: + 86400. For 7 days: + 604800. The presets automatically set appropriate expiration times (1 hour for auth, 24 hours for API, 30 minutes for sessions).
Is this tool safe for production use?: No, this is a development and testing tool only. It uses client-side hashing, which is not cryptographically secure for production JWTs. For production, use server-side JWT libraries like jsonwebtoken (Node.js), PyJWT (Python), jose (Go), or java-jwt (Java) that implement proper HMAC signing. Never expose secret keys in client-side code.
How long should my secret key be?: For HS256, use at least 256 bits (32 characters). For HS384, use 384 bits (48 characters). For HS512, use 512 bits (64 characters). The tool generates secure 32-character keys with random alphanumeric and special characters. Store secret keys securely using environment variables or secrets management systems. Never commit keys to version control.

JWT Token Generator

JWT Token Generator

About JWT Tokens

How to Use

Frequently Asked Questions

Related Tools