JWT Encoder (Generate & Sign)
Generate an HMAC-signed JWT (JSON Web Token) from header and payload JSON using HS256, HS384, or HS512 — right in your browser. Nothing, including the secret, is ever sent to a server.
Supported HMAC Signing Algorithms
| Algorithm | Hash Function | Signature Length | Description |
|---|---|---|---|
| HS256 | SHA-256 | 256 bits (32 bytes) | The most widely used default HMAC signature. Standard in many implementations, including OAuth 2.0 and OpenID Connect ID tokens. |
| HS384 | SHA-384 | 384 bits (48 bytes) | A middle-ground option for when you want a longer signature than HS256 for extra security margin. |
| HS512 | SHA-512 | 512 bits (64 bytes) | Has the longest signature length and is typically paired with a sufficiently long, random secret. |
Tips
- The JWT is signed entirely with your browser's Web Crypto API — the header, payload, and secret are never sent to the toolbase.cc server.
- Switching the signing algorithm (HS256/HS384/HS512) automatically updates the
algfield in the header JSON. Edit the header directly if you want to add other claims likekid. - This tool only supports HMAC (symmetric key) algorithms. If you need a public-key algorithm such as RS256 or ES256, use a server-side library like a Node.js JWT package instead.
- After editing the header or payload, remember to click "Generate JWT" again — otherwise the token shown is still signed from the previous input.
- To check the contents of a JWT you just generated, paste it into the companion JWT Decoder tool to verify the header and payload.
Frequently Asked Questions
alg field's value, another implementation verifying the token may reject it with an error — so make sure the two always match.
Side Note — Why JWT Signing Can Be Done Entirely in the Browser
JWT signing algorithms fall into two broad families: "symmetric key" algorithms (HMAC, i.e. HS256/HS384/HS512), where sender and receiver share the same secret, and "public-key" algorithms (like RS256 and ES256), where a private key signs and a public key verifies. Because the former can be computed entirely with the W3C-standardized Web Crypto API's (SubtleCrypto) crypto.subtle.sign() — with no external library required — this tool deliberately limits itself to HMAC algorithms only.
The security of an HMAC signature depends entirely on how hard the secret is to guess, not on the contents of the header or payload. RFC 7518 (JSON Web Algorithms) recommends a key length of at least 256 bits (32 bytes) for HS256; using a short word or a dictionary string as your secret risks the signature being forged via brute force. In real deployments, you should use a sufficiently long, randomly generated string as your secret.
This tool is a developer utility meant for checking API behavior during development or testing webhook signature-verification logic. The secret you enter is handled only in your browser's memory and never transmitted externally, but the risk from a shared machine or a browser extension harvesting clipboard contents or input isn't zero. We strongly recommend never entering a secret you actually use in production into a tool like this, even just to check it works.