Build and sign a JSON Web Token with a custom payload and secret, using HMAC (HS256/HS384/HS512). Signing happens locally via the Web Crypto API — your secret never leaves your browser.
HMAC with SHA-256/384/512. Asymmetric algorithms (RS256, ES256) require a private key and aren't supported client-side.
Used to sign the token via HMAC. Use a long, random secret in production.
This generator builds a JWT by base64url-encoding the header and your payload, then signs the resulting string using HMAC-SHA256/384/512 via the browser's native Web Crypto API. The output follows the standard three-part header.payload.signature format defined in RFC 7519.
Because signing happens with the Web Crypto API's SubtleCrypto interface, your secret is used only in memory and never transmitted anywhere. This makes the tool useful for testing, debugging, or generating tokens for local development — production systems should generate and sign tokens server-side, where the secret can be kept confidential.
Have a token to inspect instead?
Decode and verify an existing JWT's header, payload and signature.