Create and sign HS256 JSON Web Tokens from a payload and secret, entirely in your browser.
How to use the JWT Generator
Edit the payload as a JSON object.
Enter your HS256 secret.
Generate and copy the signed token.
A JWT generator that builds and signs JSON Web Tokens from your payload and secret, entirely in your browser using the Web Crypto API. It pairs with the JWT decoder, which inspects an existing token.
A JWT has three parts separated by dots: a header, a payload of claims, and a signature, each Base64url encoded. The signature is what makes the token trustworthy: it proves the payload has not been altered and was issued by someone who holds the secret.
This tool signs with HS256, that is HMAC using SHA-256, the most common symmetric JWT algorithm. The same secret both signs and verifies the token, so it must be kept private on the server.
For HS256, use a long, random secret. A short or guessable secret undermines the whole token, since anyone who guesses it can mint valid tokens of their own.
An important point about JWTs: the payload is only encoded, not encrypted. Anyone with the token can read its claims by Base64-decoding them, so never put passwords or sensitive data in a JWT. The signature stops tampering, it does not provide secrecy.
Because signing happens locally, your secret and payload never leave your device. Even so, avoid pasting real production secrets on a shared or public computer.
Frequently asked questions
HS256 (HMAC with SHA-256), the most common symmetric JWT algorithm, signed in your browser with the Web Crypto API.
No. Signing happens entirely in your browser, so the secret and payload never leave your device. Still, avoid real production secrets on shared machines.
Yes, use the JWT decoder tool to inspect the header and payload of an existing token.
No. The payload is only Base64url encoded, so anyone with the token can read it. The signature prevents tampering, not reading, so never put secrets in a JWT.
A long, random string. For HS256 the secret is the only thing protecting the token, so a short or guessable value would let anyone forge valid tokens.
Embed this tool
Add this tool to your own website. Copy the snippet below; it stays up to date automatically.
<iframe src="https://monu.tools/embed/en/jwt-generator" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>Related tools
Search and look up HTTP status codes and their meanings, from 1xx to 5xx.
Convert a .env file to JSON and JSON back to .env, in both directions, entirely in your browser.
Generate an HMAC for a message and secret key using SHA-1, SHA-256, SHA-384 or SHA-512, in your browser.
Hash a password with bcrypt and verify a password against a bcrypt hash, entirely in your browser.