How does a JWT Generator work?

A JWT generator creates a token by encoding a JSON header and payload in Base64URL format, then signing the result with a secret key using an HMAC algorithm (HS256, HS384, or HS512). The three parts are joined with dots to form the final token: header.payload.signature.

Is it safe to generate JWTs in the browser?

Yes, this tool runs entirely in your browser using the Web Crypto API. Your secret key and token data never leave your device. However, for production systems, tokens should be generated on the server side where the secret key can be securely stored.

What is the difference between HS256, HS384, and HS512?

HS256, HS384, and HS512 are HMAC-based signing algorithms that use SHA-256, SHA-384, and SHA-512 hash functions respectively. HS256 is the most widely used and offers a good balance of security and performance. HS384 and HS512 provide longer signatures and higher security margins but are rarely needed in practice.

JWT Generator

Create JSON Web Tokens with custom claims and HMAC-SHA signing. Everything runs in your browser using the Web Crypto API — your secret key never leaves your device.

Algorithm

Secret Key

Issuer (iss)

Subject (sub)

Audience (aud)

JWT ID (jti)

Expiration (exp)

Include Not Before (nbf) — set to current time

Include Issued At (iat)

Custom Claims

Generated JWT Token

Header Payload Signature

Decoded Header

Decoded Payload

About JWT Generation

JSON Web Tokens (JWTs) are compact, URL-safe tokens used for securely transmitting information between parties. A JWT consists of three Base64URL-encoded parts separated by dots: the header, the payload, and the signature. This tool lets you build custom JWTs with standard and custom claims, signed with HMAC-SHA algorithms.

Standard JWT Claims

Claim	Name	Description
`iss`	Issuer	Identifies the principal that issued the JWT
`sub`	Subject	Identifies the subject of the JWT (e.g. user ID)
`aud`	Audience	Identifies the recipients the JWT is intended for
`exp`	Expiration	Unix timestamp after which the JWT must not be accepted
`nbf`	Not Before	Unix timestamp before which the JWT must not be accepted
`iat`	Issued At	Unix timestamp when the JWT was issued
`jti`	JWT ID	Unique identifier for the JWT to prevent replay attacks

HMAC Signing Algorithms

Algorithm	Hash Function	Signature Size	Recommended Key Length
HS256	SHA-256	256 bits	256 bits (32 bytes)
HS384	SHA-384	384 bits	384 bits (48 bytes)
HS512	SHA-512	512 bits	512 bits (64 bytes)

JWT Generator

About JWT Generation

Standard JWT Claims

HMAC Signing Algorithms

Related Tools

JWT Decoder

Hash Generator

Base64 Encode/Decode

Password Generator

Frequently Asked Questions