How long should my JWT secret key be?

For HS256, your secret key should be at least 256 bits (32 characters). Shorter keys are vulnerable to brute-force attacks. Use a cryptographically random string, not a simple password.

Is this JWT generator free to use?

Yes, this JWT token generator is completely free with no signup, no usage limits, and no ads. Everything runs client-side in your browser, so your data stays private.

What standard claims should I include in my JWT?

At minimum, include exp (expiration time) and iat (issued at). For most authentication flows, also include sub (subject/user ID), iss (issuer), and aud (audience) to properly scope and validate the token.

How do I decode a JWT token?

You can use our JWT Decoder tool to paste any JWT and instantly see its decoded header, payload, and signature verification status. Since the header and payload are just Base64-encoded, you can also decode them manually.

Why should I set an expiration time on my JWTs?

JWTs cannot be revoked once issued (unlike session tokens stored in a database). Setting a short expiration time limits the window during which a stolen token can be misused. Most applications use 15 minutes to 1 hour for access tokens and longer durations for refresh tokens.

JWT Token Generator - Create JWTs Online Free

Generate JSON Web Tokens (JWT) with custom claims and expiration. Create HS256 signed tokens for authentication testing and development.

X Facebook LinkedIn Reddit

Algorithm

Secret Key

Expires In

Subject (sub)

Usually a user ID or unique identifier

Name

Custom Claims (JSON)

Add custom claims as JSON object

Generated tokens use real HMAC-SHA256 signatures. Use a strong secret key in production. For testing only - do not use in production without proper security review.

How to Generate and Decode JWT Tokens Online

1

Choose a signing algorithm

Select your preferred signing algorithm such as HS256 (HMAC-SHA256). HS256 is the most common choice for symmetric signing where both parties share the same secret key.
2

Enter your secret key and claims

Provide a strong secret key for signing. Then fill in standard claims like subject (sub), expiration time, and any custom claims your application requires, such as user roles or permissions.
3

Generate the JWT

Click Generate JWT to create a signed token. The tool produces a valid three-part token (header.payload.signature) that you can copy and use immediately in your API requests or test environments.
4

Verify and decode the token

Use our JWT Decoder to inspect the generated token. You can verify the header, payload claims, and signature are correct before using the token in your authentication flow.

Common Use Cases

API Authentication Testing

Generate test JWT tokens with specific claims and expiration times to verify that your API endpoints correctly validate authorization headers and reject expired or malformed tokens.

OAuth and SSO Flow Development

Create tokens that mimic OAuth 2.0 or OpenID Connect responses so you can build and debug single sign-on integrations without needing a live identity provider running.

Debugging Token Issues

When authentication fails in staging or production, generate a known-good token with the expected claims to isolate whether the problem lies in token creation or token validation logic.

Creating Mock JWTs for Unit Tests

Produce deterministic test tokens with fixed payloads and signatures for use in automated test suites, ensuring your middleware and guards handle every claim combination correctly.

Why Use JWT Generator?

JSON Web Tokens are widely used for authentication and information exchange. This tool helps developers create test tokens with custom claims, making it easier to develop and test JWT-based authentication systems.

A JSON Web Token (JWT) is a compact, URL-safe string used to securely transmit information between parties. Every JWT consists of three parts separated by dots: a header that specifies the token type and signing algorithm, a payload containing the claims (data), and a signature that verifies the token has not been tampered with. The header and payload are Base64-encoded, making them easy to inspect but not encrypted. The signature is produced by hashing the encoded header and payload together with a secret key.

The most widely used signing algorithms are HS256 (HMAC-SHA256) and RS256 (RSA-SHA256). HS256 uses a single shared secret for both signing and verification, making it simple and fast for server-to-server communication. RS256 uses an asymmetric key pair where the private key signs and the public key verifies, which is ideal for distributed systems and third-party integrations. You can use our SHA-256 Hash Generator to experiment with the underlying SHA-256 hashing that powers these algorithms.

Standard JWT claims include iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), and iat (issued at). Custom claims let you attach application-specific data like user roles, permissions, or tenant IDs. This JWT token generator creates valid, signed tokens entirely in your browser, so your secret keys and payloads are never sent to any server. For decoding and inspecting existing tokens, try the JWT Decoder.

How It Compares

Unlike jwt.io and similar online JWT tools that send your token data to their servers for processing, this JWT token generator runs entirely in your browser. Your secret keys, payloads, and generated tokens never leave your machine. This client-side approach means there is zero risk of your signing secrets being intercepted, logged, or stored by a third party. For developers working with production-adjacent secrets during testing, this privacy-first design is a significant advantage over server-based alternatives.

JWT Security Tips

Always set an expiration time (exp claim) on your tokens. Short-lived tokens of 15 minutes to 1 hour reduce the damage window if a token is compromised.

Use HS256 with a secret of at least 256 bits (32 characters) for symmetric signing. For asymmetric flows where you need public key verification, prefer RS256 with a 2048-bit RSA key pair.

Never embed sensitive data like passwords or credit card numbers in the JWT payload. The payload is Base64-encoded, not encrypted, so anyone with the token can read it.

Store tokens securely on the client side. Prefer HttpOnly cookies over localStorage to prevent cross-site scripting (XSS) attacks from stealing your tokens.

Rotate your signing keys regularly and implement a key revocation strategy. If a secret key is ever exposed, all tokens signed with it should be considered compromised.

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between parties. It consists of three parts: header, payload, and signature, separated by dots.

Is it safe to use this for production tokens?

This tool is designed for development and testing. For production use, generate tokens on your secure backend server with proper key management and security measures.

What algorithms are supported?

Currently, HS256 (HMAC-SHA256) is fully supported. This is one of the most commonly used algorithms for JWT signing and is suitable for most use cases.

What is the difference between HS256 and RS256?

HS256 uses a single shared secret key for both signing and verification (symmetric). RS256 uses a private key for signing and a separate public key for verification (asymmetric). RS256 is preferred when the verifier should not have the ability to create tokens.

Can anyone read the data inside a JWT?

Yes. The JWT payload is Base64-encoded, not encrypted. Anyone with the token can decode and read the claims. Never store sensitive information like passwords or secrets in a JWT payload.

Related Tools

Jwt Decoder

Developers

Jwt Security Validator

Security

Password Generator

Security

Base64 Encoder

Developers

Sha256 Hash Generator

Security

Hmac Generator

Security

Random Key Generator

Security

Json Formatter

Developers

How to Generate and Decode JWT Tokens Online

Choose a signing algorithm

Enter your secret key and claims

Generate the JWT

Verify and decode the token

Common Use Cases

API Authentication Testing

OAuth and SSO Flow Development

Debugging Token Issues

Creating Mock JWTs for Unit Tests

Why Use JWT Generator?

How It Compares

JWT Security Tips

Frequently Asked Questions

What is a JWT?

Is it safe to use this for production tokens?

What algorithms are supported?

What is the difference between HS256 and RS256?

Can anyone read the data inside a JWT?

Related Tools

Rate This Tool

Get Weekly Tools

Suggest a Tool