Free Online JWT Generator
Generate signed JWT tokens in your browser. Choose HS256, RS256, ES256, and more. Add custom claims, set expiry, and copy the token instantly. 100% client-side.
100% Client-Side · Your data never leaves your browseriat is set automatically to the current time.
No custom claims yet. Click "Add claim" to add one.
How to Use JWT Generator
Select an algorithm from the selector at the top. HS256 is the recommended default for most use cases.
- For HMAC algorithms (HS256/HS384/HS512) — enter a secret key or click Generate to create a random 256-bit secret.
- For asymmetric algorithms (RS256/PS256/ES256) — an ephemeral key pair is generated automatically in your browser. A warning note reminds you to use your own private key in production.
Fill in the Standard Claims section: sub (subject), iss (issuer), aud (audience), and exp (expiry duration). The iat (issued-at) claim is always set automatically.
Add any Custom Claims by clicking Add claim. Specify the key name, value, and data type (string, number, or boolean).
Click Generate Token or press Ctrl/Cmd+Enter to sign the token. Copy the resulting JWT with the copy button.
Frequently Asked Questions
What is the difference between this JWT generator and the JWT decoder?
The JWT decoder reads an existing token and shows you the header, payload claims, and expiry status — but does not validate the signature. The JWT generator creates brand-new, properly signed tokens from the claims you specify. Use the generator to create test tokens for development, and the decoder to inspect tokens you receive in production.
Which algorithm should I use?
HS256 (HMAC-SHA-256) is the most widely supported and is fine for most applications where the signing and verifying party is the same service. RS256 and ES256 are asymmetric algorithms useful when you need separate signing (private key) and verification (public key) parties, such as microservices or third-party API consumers. PS256 is a probabilistic RSA variant. Avoid HS384/HS512 unless your security policy explicitly requires larger HMAC output.
Is the generated token secure?
For HMAC algorithms (HS256/HS384/HS512) the token is only as secure as your secret key. Use the "Generate" button to create a cryptographically random 256-bit secret. For asymmetric algorithms (RS256/PS256/ES256) this tool generates an ephemeral key pair in your browser for demonstration — do not use these tokens in production; generate them with your own private key instead.
What are custom claims and how do I use them?
Custom (private) claims let you embed any application-specific data into the token payload — for example, a user role, tenant ID, or permission set. Click "Add claim", enter a key name and value, and select the value type (string, number, or boolean). These claims will appear in the decoded payload alongside the standard registered claims.
Is my secret key sent to any server?
No. All JWT signing happens entirely in your browser using the Web Crypto API (SubtleCrypto). Your secret key and payload data never leave your browser.
What does the "exp — Expires in" field control?
It sets the exp (expiration time) claim to a Unix timestamp equal to the current time plus the selected duration. Choosing "Never" omits the exp claim entirely, producing a token that never expires. Tokens without an expiry should only be used in controlled environments — in production, always set an expiration.