What algorithms does the JWT encoder support?

HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). These are the most common symmetric signing algorithms used with JWTs.

Is this safe to use with real secrets?

No. This tool is for development and testing only. Never paste production secrets or sensitive keys into any browser-based tool.

How does JWT signing work?

The header and payload are Base64URL-encoded and concatenated with a dot. That string is signed using HMAC with the chosen hash algorithm and your secret. The resulting signature is Base64URL-encoded and appended as the third JWT segment.

Is any data sent to a server?

No. All signing uses the browser's Web Crypto API. Nothing is transmitted or stored.

Free Tool

JWT Encoder

Build a signed JSON Web Token from custom header and payload JSON. Choose HS256, HS384, or HS512. The encoded token is colour-coded by segment. Uses the browser's Web Crypto API — nothing leaves your device.

JWT Encoder

Algorithm

Header · JSON

Payload · JSON

Secret

How it works

1. Base64URL-encode the header JSON and payload JSON separately.

2. Concatenate them as header.payload.

3. Sign that string using HMAC with your chosen SHA algorithm and secret.

4. Base64URL-encode the signature and append as header.payload.signature.

⚠ For development and testing only. Never expose real secrets in a browser tool.

What is JWT encoding?

This tool signs a JSON payload using HMAC-SHA (HS256, HS384, or HS512) and produces a compact JWT string ready to use in Authorization headers or API calls.

When to use HS256 vs HS384/HS512

HS256 is the most common choice and sufficient for most use cases. HS384 and HS512 produce longer signatures and are used when higher security margins are required.

Important note

JWTs created here are signed but not encrypted. The payload is readable by anyone who has the token. Do not include sensitive data like passwords in the payload.

How to use

Enter your JSON payload in the payload field.
Enter your secret key and select the algorithm (HS256, HS384, or HS512).
Click "Sign" to generate the JWT. Copy the token with the "Copy" button.

Examples

Simple: Payload {"sub":"user123","exp":9999999999} + secret mysecret + HS256 → a signed JWT you can paste into an Authorization: Bearer ... header for local testing.
Developer workflow: Your local API requires a valid JWT to test protected endpoints. Generate a test token here with a known payload, paste it into your HTTP client (Postman, curl, Insomnia), and test without spinning up an auth server.
Edge case: The payload is Base64URL-encoded, not encrypted. Anyone who has the token can read the claims. Never include passwords, private keys, or secrets in the payload.

Your secret key and payload never leave your browser — signing runs entirely in your browser.

Frequently Asked Questions

What algorithms does the JWT encoder support?: HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). These are the most common symmetric signing algorithms used with JWTs.
Is this safe to use with real secrets?: No. This tool is for development and testing only. Never paste production secrets or sensitive keys into any browser-based tool.
How does JWT signing work?: The header and payload are Base64URL-encoded and concatenated with a dot. That string is signed using HMAC with the chosen hash algorithm and your secret. The resulting signature is Base64URL-encoded and appended as the third JWT segment.
Is any data sent to a server?: No. All signing uses the browser's Web Crypto API. Nothing is transmitted or stored.

Related Tools

JWT Decoder

Decode JSON Web Tokens — view header, payload & expiry

Epoch

Unix timestamp converter and date utility