JWT Encoder (Generate & Sign)

Generate an HMAC-signed JWT (JSON Web Token) from header and payload JSON using HS256, HS384, or HS512 — right in your browser. Nothing, including the secret, is ever sent to a server.

Supported HMAC Signing Algorithms

Algorithm Hash Function Signature Length Description
HS256 SHA-256 256 bits (32 bytes) The most widely used default HMAC signature. Standard in many implementations, including OAuth 2.0 and OpenID Connect ID tokens.
HS384 SHA-384 384 bits (48 bytes) A middle-ground option for when you want a longer signature than HS256 for extra security margin.
HS512 SHA-512 512 bits (64 bytes) Has the longest signature length and is typically paired with a sufficiently long, random secret.

Tips

  • The JWT is signed entirely with your browser's Web Crypto API — the header, payload, and secret are never sent to the toolbase.cc server.
  • Switching the signing algorithm (HS256/HS384/HS512) automatically updates the alg field in the header JSON. Edit the header directly if you want to add other claims like kid.
  • This tool only supports HMAC (symmetric key) algorithms. If you need a public-key algorithm such as RS256 or ES256, use a server-side library like a Node.js JWT package instead.
  • After editing the header or payload, remember to click "Generate JWT" again — otherwise the token shown is still signed from the previous input.
  • To check the contents of a JWT you just generated, paste it into the companion JWT Decoder tool to verify the header and payload.

Frequently Asked Questions

No, we don't recommend it. While the signing itself happens safely inside your browser, entering a production secret into a browser tool is not good practice from a security standpoint. This tool is intended for checking API behavior during development or for learning purposes.

HS256 is a symmetric-key algorithm where sender and receiver share the same secret, while RS256 is a public-key (asymmetric) algorithm where a private key signs and a public key verifies. This tool only supports the HMAC family — HS256, HS384, and HS512 — and does not support public-key algorithms like RS256 or ES256.

Yes, you can edit the header JSON directly. However, if the selected algorithm (the one actually used to compute the signature) doesn't match the alg field's value, another implementation verifying the token may reject it with an error — so make sure the two always match.

You can paste the generated JWT string into the companion "JWT Decoder" tool to instantly check the header and payload contents. That said, the actual validity of the signature can only be confirmed definitively by server-side verification logic that holds the same secret.
ツールくん

Side Note — Why JWT Signing Can Be Done Entirely in the Browser

JWT signing algorithms fall into two broad families: "symmetric key" algorithms (HMAC, i.e. HS256/HS384/HS512), where sender and receiver share the same secret, and "public-key" algorithms (like RS256 and ES256), where a private key signs and a public key verifies. Because the former can be computed entirely with the W3C-standardized Web Crypto API's (SubtleCrypto) crypto.subtle.sign() — with no external library required — this tool deliberately limits itself to HMAC algorithms only.

The security of an HMAC signature depends entirely on how hard the secret is to guess, not on the contents of the header or payload. RFC 7518 (JSON Web Algorithms) recommends a key length of at least 256 bits (32 bytes) for HS256; using a short word or a dictionary string as your secret risks the signature being forged via brute force. In real deployments, you should use a sufficiently long, randomly generated string as your secret.

This tool is a developer utility meant for checking API behavior during development or testing webhook signature-verification logic. The secret you enter is handled only in your browser's memory and never transmitted externally, but the risk from a shared machine or a browser extension harvesting clipboard contents or input isn't zero. We strongly recommend never entering a secret you actually use in production into a tool like this, even just to check it works.