Free JWT Generator (HS256)
Build a signed HS256 JSON Web Token for testing · edit the payload, set a secret, and copy the token. Everything runs locally via Web Crypto.
Frequently asked
Is it safe to paste a real secret here?
The signing runs entirely in your browser · nothing is transmitted. Still, treat any secret that has touched a third-party page as compromised in principle: for production keys, rotate rather than reuse.
What claims should a JWT include?
At minimum: exp (expiry · keep it short, minutes not months), iat (issued at), and sub (the subject). Add iss and aud so tokens can't be replayed across services. Never put passwords or PII in claims · JWTs are readable by anyone who holds them.
Run a full security scan →