JWT Token Generator

Algorithm

Secret Key

Standard Claims

iss (Issuer)

sub (Subject)

aud (Audience)

exp (Expires In)

iat (Issued At)

jti (JWT ID)

Custom Claims (JSON, optional)

What is a JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in web applications and APIs.

A JWT consists of three parts separated by dots: Header (algorithm & token type), Payload (claims/data), and Signature (verified integrity). Signatures can be symmetric (HMAC with a shared secret) or asymmetric (RSA/ECDSA with a private/public key pair).

Algorithm Selection Guide

HS256 / HS384 / HS512 (HMAC)

Symmetric algorithms using a shared secret key. The same key is used to sign and verify. Best for single-service applications where the verifier also knows the secret.

RS256 / RS384 / RS512 (RSA)

Asymmetric algorithms using a private key to sign and a public key to verify. The private key is never shared — only the public key is distributed. Ideal for microservices and third-party verification.

ES256 / ES384 / ES512 (ECDSA)

Asymmetric algorithms based on elliptic curve cryptography. Offer equivalent security to RSA with smaller key sizes. ES256 (P-256) is widely supported and recommended for new implementations.

How to Use

Select your signing algorithm (HS256 for shared secret, RS256/ES256 for private key).
Enter your secret key (for HMAC) or private key in PEM format (for RSA/ECDSA).
Fill in the standard claims or add custom JSON claims.
Click "Generate Token" to create your signed JWT.
Copy the token and use it in your Authorization headers or wherever needed.

Frequently Asked Questions

Is signing done in my browser?

Yes. JWT signing is performed entirely in your browser using the Web Crypto API. Your secret keys never leave your device.

What is the difference between HS256 and RS256?

HS256 uses a shared secret — both the signer and verifier must know it. RS256 uses a private key to sign and a public key to verify, allowing anyone with the public key to verify without knowing the private key.

Can I use this token with my API?

Yes. Simply copy the generated token and include it in the Authorization: Bearer <token> header when making requests to your API.

How are the keys handled?

All operations are performed in your browser using JavaScript. No data is sent to any server. The Web Crypto API provides hardware-accelerated cryptographic operations for HMAC and the jose library handles RSA and ECDSA signing.