JWT Encoder
Create and sign JSON Web Tokens with customizable header, payload, and signing algorithms.
Advertisement
Header
Payload
Secret Key
19 characters (152 bits)⚠️ This is a client-side tool for testing only. Never use production secrets here.
Encoded JWT
Advertisement
How to Use the JWT Encoder
This JWT encoder tool helps you create and sign JSON Web Tokens for testing and development. A JWT consists of three parts: a header that specifies the algorithm, a payload containing your data (claims), and a signature that ensures the token hasn't been tampered with. All three parts are encoded and joined with dots to create the final token.
Configure the Header: Choose your signing algorithm — HS256 (SHA-256) is the most common and works well for most applications. HS384 and HS512 offer higher security with larger hash outputs. The header automatically includes the token type ("JWT") and your selected algorithm. You can also add custom header fields if needed for your specific use case.
Build the Payload: Add claims to your payload using JSON format. Standard claims include "sub" (subject/user identifier), "exp" (expiration timestamp), "iat" (issued at timestamp), "iss" (issuer), and "aud" (audience). You can add any custom claims your application needs. Use the quick-add buttons for common claims, or edit the JSON directly for full control.
Sign the Token: Enter your secret key to sign the token. The signature ensures that nobody can modify the header or payload without detection. The tool immediately generates your signed JWT token, which you can copy and use in your application. You'll see the complete token with all three parts (header.payload.signature) ready to use.
Remember that JWTs are encoded but not encrypted — anyone can decode and read the header and payload. Never include sensitive information like passwords or credit cards in JWT payloads. Use this tool for development and testing only. For production, always generate JWTs server-side where you can keep secret keys secure.
Frequently Asked Questions
What is a JWT and when should I use it?
JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. JWTs are commonly used for authentication and authorization in web applications and APIs. After a user logs in, the server generates a JWT that the client includes in subsequent requests to prove their identity without needing to authenticate again.
What are the three parts of a JWT?
A JWT consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification hash). The header and payload are base64-encoded JSON objects. The signature is created by signing the encoded header and payload with a secret key using the specified algorithm. This ensures the token hasn't been tampered with.
What's the difference between HS256, HS384, and HS512?
These are HMAC-based signing algorithms that differ in their hash functions and security levels. HS256 uses SHA-256 (256-bit), HS384 uses SHA-384 (384-bit), and HS512 uses SHA-512 (512-bit). All are symmetric algorithms requiring the same secret key for both signing and verification. HS256 is the most common and sufficient for most use cases. Use HS512 if you need higher security guarantees.
What should I include in the JWT payload?
Include only necessary claims like user ID, roles, permissions, and expiration time. Avoid sensitive data like passwords or credit card numbers — JWTs are encoded (not encrypted) and can be decoded by anyone. Standard claims include 'sub' (subject/user ID), 'exp' (expiration timestamp), 'iat' (issued at timestamp), and 'iss' (issuer). Keep payloads small to minimize token size.
How do I keep my JWT secret key secure?
Store your secret key in environment variables, never in source code or client-side JavaScript. Use a long, random string (at least 32 characters for HS256, 48+ for HS384, 64+ for HS512). Rotate keys periodically and immediately if compromised. For this tool, use test keys only — never use production keys in any online tool, even client-side ones.
Is it safe to use this tool for real tokens?
This tool is safe for learning, testing, and development since all processing happens in your browser. However, for production tokens, generate them server-side where you can keep secret keys truly secure. Never expose production secret keys to any client-side tool or browser environment. Use this tool for understanding JWT structure and testing with dummy data only.