How to Use JWT Generator

Key Takeaways

No — never use a web-based tool to generate production JWTs

HS256 (HMAC-SHA256), HS384, and HS512 for symmetric signing with a shared secret

HS256 uses a single shared secret for both signing and verification — simpler but requires sharing the secret with anyone who verifies tokens

Yes — add any key-value pairs to the payload section

What is JWT Generator?

JWT Generator creates valid, signed JSON Web Tokens — specify the algorithm, secret, standard claims (sub, iss, exp), and any custom claims, and get a signed JWT ready to use in API tests or development environments.

JWT Generator is a development and testing tool. For production systems, always generate JWTs programmatically in your backend using a battle-tested library — never in the browser.

JWT Structure Recap

Header

Algorithm (alg) and token type (typ: JWT). Base64url-encoded.

Payload

Claims: who the token is for (sub), when it expires (exp), plus any custom data you need.

Signature

HMAC or RSA signature over header + payload, using your secret. Verifiable but not reversible.

Standard Claims to Include

Claim	Purpose	Example
`sub`	Subject (user ID)	`"user_123"`
`iss`	Issuer	`"https://auth.myapp.com"`
`aud`	Audience	`"https://api.myapp.com"`
`exp`	Expiration (Unix timestamp)	`1715253600`
`iat`	Issued at	Current time
`jti`	JWT ID (for revocation)	UUID v4

Enter your secret

Paste a secret key for HS256. Use a random 32+ character string for testing.

→

Choose algorithm

Select HS256, HS384, or HS512. HS256 is the standard choice for most use cases.

→

Build the payload

Fill in sub, exp, and any custom claims. The exp field accepts a Unix timestamp or relative time (e.g. +1h).

→

Copy the token

The signed JWT appears in the output. Copy it for use in Authorization headers.

Using the Token in API Calls

GET /api/v1/user/profile HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Tips & Common Mistakes

Set a short expiry for test tokens. Use exp: now + 1 hour for API testing. Long-lived tokens in dev environments are security risks — they end up in committed test files and CI logs.

Never use the same secret in production as in testing. Test secrets often end up in version control or Slack messages. Production secrets must come from a secret manager (AWS Secrets Manager, Vault, etc.).

Verify the token after generating. Paste the generated token into JWT Decoder to confirm the payload is correct before using it in tests. What you see in the generator preview and what’s actually encoded should match — this check catches copy-paste errors.

JWT Decoder — decode and inspect JWT tokens
UUID Generator — generate a UUID for the jti claim
Epoch Converter — calculate the right Unix timestamp for the exp claim

Frequently Asked Questions

Is it safe to generate JWTs here for production use?

No — never use a web-based tool to generate production JWTs. The secret you enter could be exposed in browser history or network logs. Use this tool for testing and development only, with throwaway secrets.

What signing algorithms are supported?

HS256 (HMAC-SHA256), HS384, and HS512 for symmetric signing with a shared secret. RS256 requires an RSA private key. HS256 is the most common choice for simple APIs.

What is the difference between HS256 and RS256?

HS256 uses a single shared secret for both signing and verification — simpler but requires sharing the secret with anyone who verifies tokens. RS256 uses a public/private key pair — the private key signs, the public key verifies. Better for distributed systems.

Can I set custom claims?

Yes — add any key-value pairs to the payload section. Common custom claims include user_id, role, email, and permissions.

AI Text Summarizer

Go Premium