Is my JWT secret safe when using this tool?

Yes — all signing happens entirely in your browser using the Web Crypto API. Nothing is sent to any server. That said, never paste your real production secret here. Use a test secret or a throwaway value for debugging; keep your production secrets in environment variables.

What is HS256 and why is this the only algorithm supported?

HS256 is HMAC-SHA256 — it uses a shared secret to sign the JWT. It's the most common algorithm for server-to-server authentication where both parties share the same secret. RS256 and ES256 use asymmetric key pairs, which require private key handling that is impractical in a browser tool.

Is the JWT payload encrypted?

No. The payload is only base64url-encoded, not encrypted. Anyone with the token can decode and read the payload. Never store sensitive data (passwords, credit card numbers, PII) in a JWT payload. The signature only proves the token was created by someone with the secret — it does not hide the contents.

What does the exp claim do?

The exp (expiration) claim is a Unix timestamp (seconds since epoch) after which the token should be considered invalid. Most JWT libraries automatically reject tokens with an expired exp. The Quick Add button sets exp to 1 hour from now (current time + 3600 seconds).

Can I verify a JWT I encoded here using the JWT Decoder?

You can decode it to inspect the header and payload — the decoder is always available. However, our decoder tool does not verify the signature (that requires the secret key and is done server-side by your app). Use the encoded JWT in your application and let your server-side JWT library verify it.

JWT Encoder

Create signed JSON Web Tokens (JWT) with custom payload claims. Signs with HS256 (HMAC-SHA256) entirely in your browser.

Secret Key

AlgorithmHS256

Payload Claims

Quick Add:

KeyValue

How to Use

Create signed JSON Web Tokens (JWT) with custom payload claims. Signs with HS256 (HMAC-SHA256) entirely in your browser.

1Enter a secret key in the Secret field — use any string for testing, but never your real production secret.
2Edit the payload claims in the table. Click 'Add Claim' to add new key-value pairs.
3Use the Quick Add buttons to insert standard claims like iss (issuer), exp (expiration), or aud (audience).
4Click 'Generate Token' to sign the JWT using HMAC-SHA256 (HS256) in your browser.
5Copy the generated JWT and use it in your application, Postman, or API testing tool.

Key Features

HS256 signing via Web Crypto API — runs entirely in your browser, nothing sent to servers
Editable payload claims table — add, remove, and edit any key-value claim
Smart type coercion — numbers and booleans are encoded as JSON types, not strings
Quick Add buttons for standard JWT claims (iss, exp, aud) with sensible defaults
Color-coded output matching the JWT Decoder — red header, purple payload, cyan signature

Frequently Asked Questions

Learn More

Online JWT Encoder — Create Signed JWTs in the Browser Without Any Library