Skip to main content

JWT Builder

Build, sign, and customize JWT tokens. HMAC algorithms sign in your browser.

Free & unlimited
Algorithm
Secret key
Payload claims
Expires in
KeyValue
Encoded JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTc3ODQzNzQ2Nn0.VUWtrSbfJAdLcJmF1bAV8jT7o_4tmfU5w_-nly-ofx0
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload (3 claims)
{
  "sub": 1234567890,
  "name": "John Doe",
  "iat": 1778437466
}
Signature

HMAC256(base64UrlEncode(header) + '.' + base64UrlEncode(payload), secret)

All processing happens in your browser. No data is sent to any server.

About this tool

  1. 1

    Set header claims

    Choose the signing algorithm (HS256, RS256, etc.) and optional key ID (kid).

  2. 2

    Define payload claims

    Add standard claims like sub, iss, exp, iat, and any custom claims you need.

  3. 3

    Enter the signing key

    Provide the secret (for HMAC) or private key (for RSA/EC) to sign the token.

  4. 4

    Generate and copy

    The signed JWT is generated instantly - copy the token or decode it to verify.

  • Always set an exp (expiration) claim to prevent tokens from being valid forever.
  • Use RS256 with public/private key pairs for production - HS256 shared secrets are harder to rotate.
  • The iat (issued at) and nbf (not before) claims help prevent token reuse attacks.
  • Never put sensitive data like passwords in JWT payloads - they are base64 encoded, not encrypted.
  • Supports HS256, HS384, HS512, RS256, RS384, RS512, ES256, and ES384 algorithms
  • Standard claim helpers with datetime pickers for exp, iat, and nbf
  • Custom claim editor for adding any key-value pairs to the payload
  • Real-time token preview showing header, payload, and signature segments
  • Built-in decoder to verify tokens after generation
  • Generate test JWT tokens for development and API testing
  • Build tokens with specific claims to test authorization middleware
  • Create demo tokens for authentication flow documentation
  • Debug JWT issues by building tokens with known payloads and verifying signatures
Use it for development and testing. For production, generate tokens server-side where your signing keys are securely stored.
HS256 uses a shared secret for signing and verification. RS256 uses a private key to sign and a public key to verify, which is more secure for distributed systems.
Common causes: wrong secret/key, algorithm mismatch between header and verifier, or an expired token. Check all three.

Related tools

View all
Data
.env editor
Visual editor for .env files with validation and formatting
Data
API rate calculator
Calculate API rate limits per second/minute/hour
Data
ASCII art
Convert text to ASCII art banner
Data
Badge generator
Build shields.io-style badges for GitHub READMEs

We use anonymous analytics to improve ToolChamp. No personal data is stored or sold. Privacy Policy