Don't like ads? Go Ad-Free Today 

JWT Encoder / Builder

DeveloperSecurity

ADVERTISEMENT · REMOVE?

INPUT

Auto Process

OUTPUT

Client Side

ADVERTISEMENT · REMOVE?

Guide

JWT Encoder / Builder

Build signed JSON Web Tokens directly in your browser. Drop in a header and payload, pick an HMAC algorithm, supply the shared secret, and copy a ready-to-use token for API testing, debugging, or local development. All signing happens with the SubtleCrypto Web API, so your secret and claims never leave the page.

How to Use

Edit the Header (JSON) block to include the typ and any custom fields such as kid. The alg value is overridden by the algorithm selector below.
Edit the Payload (JSON) block with standard claims like iss, sub, iat, exp, plus any custom claims your service needs.
Pick an algorithm: HS256, HS384, or HS512.
Paste your shared secret. Use a random string at least as long as the hash output to match the security level of each algorithm.
Copy the resulting token from the output box, or copy the header, payload, or signature parts individually.

Features

Three HMAC algorithms – HS256, HS384, and HS512 cover every common HMAC-signed JWT use case.
Real-time signing – The signed token regenerates as you edit any field, so you see the effect of each change immediately.
Inline JSON validation – Malformed header or payload JSON shows a clear error message before it becomes part of a broken token.
Part-by-part copy – Copy the complete token or grab the base64url-encoded header, payload, or signature on their own.
Client-side only – Signing runs in your browser using SubtleCrypto. Secrets and claims are never sent to a server.
Pairs with JWT Decode – Round-trip tokens between the encoder and our existing JWT Decode tool to verify claims.

When to Use This Tool

Testing an API endpoint that expects a bearer token with specific claims.
Reproducing a failing authentication scenario with a known-good token.
Teaching or learning how JWT signatures are constructed.
Generating short-lived tokens for local development without standing up an auth server.

 FAQ

What is a JWT and why is it signed?

A JSON Web Token (JWT) is a compact URL-safe string made up of a header, a payload, and a signature. The signature lets the recipient verify that the header and payload were produced with knowledge of the shared secret and were not modified in transit. Without a valid signature, anyone could forge claims, which is why every token meant for authentication or authorization is signed.
How does HMAC signing with HS256, HS384, and HS512 work?

HMAC (Hash-based Message Authentication Code) combines a secret key with a cryptographic hash function. HS256 uses SHA-256 to produce a 256-bit MAC, HS384 uses SHA-384, and HS512 uses SHA-512. The signer computes HMAC over the base64url-encoded header and payload joined by a dot, then appends the base64url-encoded MAC. Anyone with the same secret can recompute the MAC and compare it to verify authenticity.
Why do JWTs use base64url instead of standard base64?

Standard base64 uses the characters +, /, and = which must be percent-encoded in URLs and can cause problems when tokens are passed as query parameters or in HTTP headers. Base64url replaces + with -, / with _, and strips the trailing = padding. This produces a string that is safe to place directly in URLs, HTTP headers, and cookies without any additional encoding.
What makes a secret strong enough for HMAC-signed JWTs?

For HS256 the secret should be at least 32 random bytes (256 bits); for HS384 at least 48 bytes; for HS512 at least 64 bytes. Short, human-chosen passwords are vulnerable to brute-force attacks because an attacker who captures a single token can guess secrets offline. Generate secrets from a cryptographic random source, store them outside your source tree, and rotate them whenever exposure is suspected.