Sign and verify JSON Web Tokens with HS256, HS384, or HS512. Uses the browser's Web Crypto API, your secret never leaves the page.
Share this tool
Found it useful? Help a fellow developer discover it.
A JWT consists of three base64url-encoded parts separated by dots:
HEADER
Declares the token type (JWT) and signing algorithm (e.g. HS256). Base64url-encoded JSON.
PAYLOAD
Claims about the subject, user ID, name, expiry (exp), issued-at (iat), etc. Base64url-encoded JSON.
SIGNATURE
HMAC of header + "." + payload using your secret. Proves the token was not tampered with.
| Algorithm | Hash | Signature size | Min. secret length | Recommendation |
|---|---|---|---|---|
| HS256 | SHA-256 | 43 chars | 32 bytes recommended | Most common, sufficient for most use cases |
| HS384 | SHA-384 | 64 chars | 48 bytes recommended | Higher security margin, rare in practice |
| HS512 | SHA-512 | 86 chars | 64 bytes recommended | Highest security, larger tokens, fast on 64-bit |
For testing and development, yes. This tool uses the browser's native Web Crypto API, your secret is never sent over the network. For production systems, generate tokens server-side where the secret is protected by environment variables and never exposed to clients. Browser-generated tokens should only be used for testing.
HS256 uses a symmetric secret (same key to sign and verify). RS256 uses an asymmetric RSA key pair, the private key signs the token, and the public key verifies it. RS256 is better when multiple services need to verify tokens without sharing a secret. This tool supports HS* algorithms only.
At minimum: iss (issuer), sub (subject/user ID), iat (issued-at timestamp), and exp (expiry timestamp). The exp claim is critical, without it, a stolen token is valid forever. A typical expiry is 15 minutes for access tokens and 7–30 days for refresh tokens.
Common causes: wrong secret (it must be identical to the one used to sign), algorithm mismatch (the verifier must use the same algorithm as the signer), the token is expired, or the token was URL-decoded (plus instead of dash, slash instead of underscore). Paste the raw token directly without decoding it first.
Enter a JSON payload in the payload panel. A minimal test payload is: {"sub": "user123", "iat": 1700000000, "exp": 1700003600}. Enter any string as your secret, select HS256, and the signed token appears instantly. Copy it to use in Authorization headers or paste it into the JWT Decoder to inspect the claims.
exp is a Unix timestamp (seconds since 1 January 1970 UTC). To set a 1-hour expiry, take the current Unix timestamp and add 3600. For a 15-minute expiry add 900. Use the Timestamp Converter tool to get the current Unix timestamp, then add the desired seconds and paste the result into your payload.
15 minutes is the standard recommendation for access tokens in production. Short expiry limits the exposure window if a token is stolen. Pair them with a longer-lived refresh token (7 to 30 days) stored in an HttpOnly cookie, exchanged silently for new access tokens without requiring the user to log in again.
Yes, but with trade-offs. JWTs are stateless so you cannot invalidate an individual token before it expires without maintaining a server-side blocklist, which negates the stateless benefit. For applications that need immediate logout or revocation, traditional server-side sessions with a session store are simpler. JWTs are best for stateless APIs, microservices, and short-lived credentials.
JWT Decoder
Decode and inspect JWT tokens. View header, payload, and signature without a secret.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any string.
Password Generator
Generate cryptographically secure passwords and EFF-style passphrases using the Web Crypto API.
UUID / ULID Generator
Generate RFC-4122 UUIDs (v1, v4, v5) and ULIDs instantly.
