JWT Generator

Generate, decode, and verify JSON Web Tokens — all in your browser

No Data Sent

Header

Payload

Secret Key

Generated Token

Token will appear here after generation…

Copied to clipboard!

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way to securely transmit information between parties as a JSON object. JWTs are widely used for authentication and information exchange in modern web applications and APIs.

How JWT Works

A JWT consists of three Base64Url-encoded parts separated by dots:

Header

Specifies the token type (JWT) and the signing algorithm (e.g. HS256).

Payload

Contains the claims — statements about the user or entity and any additional metadata.

Signature

Created by signing the encoded header and payload with your secret key to prevent tampering.

How to Generate a JWT

1Open the Generate tab above.
2Edit the Header JSON — the "alg" field controls the signing algorithm (HS256, HS384, or HS512).
3Fill in your Payload JSON with the claims you need (e.g. sub, name, iat, exp).
4Enter a strong Secret Key. This key is used to sign the token and must be kept private.
5Click Generate. The signed JWT will appear below, color-coded by section.
6Use Copy or Download to save the token for use in your application.

JWT Security Tips

Always use a long, random secret key — never use a simple word or password.
Set an expiration claim (exp) to limit token lifetime and reduce risk if compromised.
Never store sensitive data in the payload — it's only encoded, not encrypted.
Use HTTPS to prevent tokens from being intercepted in transit.
Invalidate tokens server-side (blacklist or short expiry + refresh tokens) when users log out.
Prefer RS256 or ES256 over HS256 in distributed systems — asymmetric keys are safer.

Frequently Asked Questions

Yes. All JWT operations — generation, decoding, and verification — run locally on your device using the Web Crypto API.

Currently HS256, HS384, and HS512 (HMAC-based). These are the most widely used algorithms for symmetric JWTs. RS256 and ES256 support is planned.

Yes. The Decode tab can decode any JWT regardless of algorithm or issuer, without needing the secret key. Note: decoding is different from verifying.

Decoding simply reads the Base64Url-encoded contents of the header and payload — anyone can do this. Verifying cryptographically checks that the signature was produced with the correct secret, ensuring the token was not tampered with.

Standard JWTs (JWS) are signed but NOT encrypted. The header and payload are only Base64Url-encoded and can be read by anyone. Never put sensitive data in a JWT payload unless you use JWE (JSON Web Encryption).