JWT Encoder Tool - JSON Web Token Generator and Signer

First Published:
Last Updated:

Free JWT Encoder and Generator for creating signed JSON Web Tokens. All encoding and signing is performed entirely within your browser using the Web Crypto API - your secret keys and private keys never leave your device or get sent to any server.

  • This tool is provided "AS IS" without any warranties of any kind.
  • The author accepts no responsibility for any security issues arising from handling tokens or keys.
  • Secret keys and private keys you enter are processed solely within your browser and are never transmitted to any server. You can verify this by inspecting the source code or monitoring network traffic in your browser's developer tools.
  • For testing and learning purposes, the default sample secret ("your-256-bit-secret") is provided. Never enter production secrets or private keys into any online tool unless you have verified its security model.
  • For production systems, use proper key management services (e.g., AWS KMS, HashiCorp Vault) to generate and manage signing keys.
  • By using this tool, you accept full responsibility for any outcomes.

Privacy: This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no keys or tokens are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

HMAC: symmetric secret | RSA/ECDSA: asymmetric key pair

Generated JWT Token

Need to decode an existing JWT? Use our JWT Decoder Tool to inspect headers, payloads, and expiration status.

Features:

  • JWT Generation: Create signed JSON Web Tokens with customizable header and payload.
  • Multiple Algorithms: Supports HMAC (HS256/HS384/HS512), RSA (RS256/RS384/RS512), and ECDSA (ES256/ES384/ES512).
  • Key Pair Generation: Generate RSA (2048-bit) and ECDSA (P-256/P-384/P-521) key pairs directly in the browser.
  • Payload Helpers: Quick buttons to insert current timestamp (iat) and expiration time (exp +1 hour).
  • Base64 Secret Support: Option to use Base64-encoded HMAC secrets for compatibility with various systems.
  • Public Key Export: Copy the generated public key for use in token verification.
  • Web Crypto API: Uses the browser's native Web Crypto API for all cryptographic operations - no external libraries required.
  • 100% Client-Side: All processing happens in your browser. Your secret keys and private keys never leave your device.
  • Works Offline: Once loaded, the tool works without an internet connection.
  • No External Libraries: Pure vanilla JavaScript with zero dependencies.

How to Use:

  1. Select Algorithm: Choose a signing algorithm from the dropdown. HMAC algorithms use a shared secret; RSA and ECDSA use asymmetric key pairs.
  2. Edit Header: The header is auto-populated based on your algorithm selection. Modify it if needed (e.g., to add a "kid" claim).
  3. Edit Payload: Enter your JWT claims as JSON. Use the helper buttons to quickly add "iat" (issued at) or "exp" (expiration) timestamps.
  4. Provide Key:
    • For HMAC (HS256/384/512): Enter your secret key in the text field. Check "Secret is Base64 encoded" if applicable.
    • For RSA/ECDSA: Paste a PEM-formatted private key, or click "Generate Key Pair" to create a new one.
  5. Generate: Click "Generate JWT" to create the signed token.
  6. Copy: Use "Copy JWT" to copy the generated token to your clipboard.
  7. Verify: Use the JWT Decoder Tool to inspect and verify the generated token.

Important Notes:

  • This tool generates real, cryptographically signed JWTs. Handle the generated tokens and keys with appropriate care.
  • For HMAC algorithms, the security of your JWT depends entirely on the secrecy and strength of your secret key.
  • Generated RSA key pairs use 2048-bit keys. For production use, consider using longer keys (3072 or 4096 bits) generated through proper key management systems.
  • ECDSA ES512 uses the P-521 curve (not P-512). This is per the JWT specification (RFC 7518).
  • The Web Crypto API requires HTTPS or localhost. This tool may not work on plain HTTP pages.
  • Private keys generated in the browser are not stored anywhere. If you close the page, the keys are lost. Export and save them if needed.
  • For production systems, always use proper key management services (e.g., AWS KMS, HashiCorp Vault) rather than browser-generated keys.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi