🔐 JWT Encoder / Generator – Create Signed JSON Web Tokens Online
The JWT Encoder is a browser-based tool for creating, signing, and inspecting JSON Web Tokens (JWTs) as defined in RFC 7519. Whether you are building REST APIs, debugging OAuth 2.0 / OpenID Connect flows, or simply learning how JWTs work, this tool lets you compose a token from its three parts — Header, Payload, and Signature — and generates the final encoded string entirely in your browser.
What is a JWT?
A JWT is a compact, URL-safe string made of three Base64URL-encoded segments separated by dots (.):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 ← Header
.eyJzdWIiOiJ1c2VyXzEyMyIsImlhdCI6MTcwMDAwMDAwMH0 ← Payload
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ← SignatureThe Header declares the token type and signing algorithm. The Payload carries the claims — assertions about the subject plus any custom data you need. The Signature cryptographically binds the first two parts to a secret or key pair, preventing tampering.
Supported Signing Algorithms
| Algorithm | Type | Use Case |
|---|---|---|
HS256 / HS384 / HS512 | HMAC (symmetric) | Single-service tokens, microservices with shared secret |
RS256 / RS384 / RS512 | RSA PKCS#1 (asymmetric) | Multi-service auth — verifiers only need the public key |
ES256 / ES384 / ES512 | ECDSA (asymmetric) | Compact signatures for constrained environments (IoT, mobile) |
none | Unsigned | Testing only — never use in production |
Standard JWT Claims
RFC 7519 defines a set of registered claim names with well-known semantics. Using these consistently enables interoperability across libraries and platforms:
| Claim | Full Name | Description |
|---|---|---|
iss | Issuer | Identifies who issued the token |
sub | Subject | Identifies the principal (e.g., user ID) |
aud | Audience | Recipients the token is intended for |
exp | Expiration Time | Unix timestamp after which the token is invalid |
nbf | Not Before | Token must not be accepted before this time |
iat | Issued At | Unix timestamp when the token was issued |
jti | JWT ID | Unique identifier to prevent replay attacks |
How to Use the JWT Encoder
- Choose an algorithm from the dropdown — start with
HS256for simplicity. - Edit the Header JSON if needed. The tool automatically updates the
algfield when you switch algorithms. - Build the Payload — type raw JSON or click the quick-add buttons to insert standard claims like
iat,exp, orsub. Use expiry presets (5 min, 1 hr, 24 hr, etc.) to auto-fill timestamps. - Enter your secret (for HMAC) or paste your PEM private key (for RSA/ECDSA). The secret strength indicator warns if your HMAC secret is too short.
- Copy the token — the colour-coded output updates in real time. Red = Header, Purple = Payload, Teal = Signature.
Security Considerations
Key security points to keep in mind:
- HS256 secret length: The NIST recommendation is at least 256 bits (32 bytes) for HS256. Shorter secrets are susceptible to brute-force attacks.
- Algorithm confusion attacks: Always verify the
algheader server-side. Never blindly trust the algorithm specified in a received token. - alg: none: Several JWT libraries historically accepted unsigned tokens if the algorithm was set to
none. Always explicitly rejectnonein production code. - Sensitive data in payload: The payload is only Base64URL-encoded, not encrypted. Anyone with the token can read the claims. Use JWE (JSON Web Encryption) if the payload contains sensitive data.
RSA / ECDSA Key Format
For RSA and ECDSA algorithms, provide your private key in PKCS#8 PEM format. You can generate a test key pair with OpenSSL:
# RSA 2048-bit key pair
openssl genrsa -out private.pem 2048
openssl pkcs8 -topk8 -nocrypt -in private.pem -out private_pkcs8.pem
openssl rsa -in private.pem -pubout -out public.pem
# ECDSA P-256 key pair (for ES256)
openssl ecparam -name prime256v1 -genkey -noout -out ec_private.pem
openssl pkcs8 -topk8 -nocrypt -in ec_private.pem -out ec_private_pkcs8.pem
openssl ec -in ec_private.pem -pubout -out ec_public.pemAll Processing Happens in Your Browser
The JWT Encoder uses the browser's built-in Web Crypto API for all cryptographic operations. Your header, payload, secret, and private key are never transmitted to any server. The tool works entirely offline once the page has loaded.