JWT Builder / Generator
Build JWT tokens with custom payloads and sign them with HS256. All signing happens in your browser — your secret never leaves your device.
For testing only. Never use this in production without proper key management. Do not use real secrets or sensitive data here.
Algorithm is fixed to HS256 (HMAC + SHA-256).
Frequently Asked Questions
What is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims/data), and the signature (proof of integrity). JWTs are commonly used for authentication tokens and API authorization.
What does HS256 mean?
HS256 stands for HMAC with SHA-256. It is a symmetric signing algorithm where the same secret key is used to both sign and verify the token. The 'H' stands for HMAC (Hash-based Message Authentication Code), 'S' stands for SHA (Secure Hash Algorithm), and '256' refers to the 256-bit output length. Both parties must share the same secret key.
What are JWT claims (sub, iat, exp)?
Claims are statements about an entity (typically the user) and additional data. 'sub' (Subject) identifies who the token is about. 'iat' (Issued At) is a Unix timestamp of when the token was created. 'exp' (Expiration Time) is a Unix timestamp after which the token must no longer be accepted. 'name', 'role', and other custom keys are called private claims.
When should I use JWTs?
JWTs are ideal for stateless authentication in APIs — the server can verify the token without looking up a session in a database. They're used in OAuth 2.0, OpenID Connect, and REST API authorization. However, JWTs are not encrypted by default (only signed), so avoid putting sensitive data in the payload. For short-lived access tokens and service-to-service auth, JWTs are a popular and practical choice.