JWT Generator HS256
Sign a JWT with HMAC-SHA256 in your browser.
How to use
- 1 Enter your claims as a JSON object in the payload box.
- 2 Type the HMAC secret your verifier will use.
- 3 Click “Generate token” to sign with HS256.
- 4 Copy the resulting JWT and use it in your Authorization header.
About JWT Generator HS256
The JWT Generator HS256 builds a signed JSON Web Token from a payload of claims and a shared secret, using the widely supported HS256 (HMAC-SHA256) algorithm.
A JWT has three Base64URL parts joined by dots: a header that names the algorithm, a payload that carries your claims, and a signature that proves the token was issued by someone who holds the secret.
This tool assembles all three and signs the header-and-payload with HMAC-SHA256 so the result verifies in any standard JWT library.
It is built for developers who need a quick, throwaway token while testing an API, debugging an auth flow, or seeding a fixture.
Type or paste the claims as a JSON object — common fields include sub, name, iat, exp and any custom values your service expects — supply the secret your verifier uses, and copy the finished token.
Crucially, the signing happens entirely in your browser through the Web Crypto API.
Your secret and payload are never sent over the network, logged, or stored, which matters because a JWT secret is as sensitive as a password.
Because there is no server round trip the tool also keeps working offline once loaded.
For inspecting tokens you already have, pair it with a JWT decoder.
FAQ
Is my secret safe?
Yes. Signing uses your browser’s Web Crypto API, so the secret and payload never leave the page — nothing is uploaded, logged or stored.
Which algorithm is used?
HS256, meaning HMAC with SHA-256. The header is fixed to {"alg":"HS256","typ":"JWT"} and the signature is computed over the Base64URL header and payload.
Can it add an expiry automatically?
No — it signs exactly the claims you provide. Add an "exp" field (a Unix timestamp in seconds) to your payload if you want the token to expire.