JWT Builder + Signer (HS256, RS256)

JWTs are everywhere — auth flows, API tokens, password reset links. Need to mint a test JWT with a specific claim or expiration? This builder lets you set the header, payload claims, and signing key (HMAC secret or RSA private key), then generates the signed token. All in your browser — secrets never leave the page.

Algorithm

Header (JSON)

Payload / Claims (JSON)

HMAC secret

How to use the JWT Builder + Signer (HS256, RS256)

Pick an algorithm. HS* uses a shared HMAC secret. RS* uses an RSA private key (PEM-encoded; generate one with our RSA keypair generator). Edit the header and payload as JSON; the alg field in the header is auto-synced to your selection. Click Sign & build token to produce the JWT.

About JWT Builder + Signer (HS256, RS256)

A JWT (JSON Web Token, RFC 7519) is a compact, URL-safe token format consisting of three parts separated by dots: header.payload.signature. The header and payload are base64url-encoded JSON; the signature is a base64url-encoded MAC or digital signature computed over header.payload.

Three signing algorithm families:

HMAC (HS256/HS384/HS512) — symmetric: same secret to sign and verify. Fast, easy to deploy when both sides are your servers. Bad for tokens issued to clients (clients can't verify without seeing your secret).
RSA (RS256/RS384/RS512) — asymmetric: private key signs, public key verifies. Right choice when the verifier is external (mobile app, third-party API consumer).
ECDSA (ES256/ES384/ES512) — asymmetric like RSA but with elliptic curves; smaller keys, faster verification.

Common claims (defined by RFC 7519):

iss — issuer; sub — subject (usually user ID); aud — audience; exp — expiration (Unix timestamp); nbf — not before; iat — issued at; jti — JWT ID (for tracking).

Security: never sign with alg: none in production. Many libraries default to accepting none and have been the source of vulnerabilities — always specify the expected algorithm at verification time.

Common use cases

Generating test tokens — for local development, testing auth-protected endpoints.
Debugging auth flows — mint a token with specific claims to test edge cases (expired, missing scope, wrong audience).
Migrating signing algorithms — generate the same payload under HS256 vs RS256 to compare.
API client onboarding — provide test tokens to API consumers before they implement their own signing.

Frequently asked questions

Is the secret / private key sent anywhere?

No. Signing happens entirely in your browser via WebCrypto API. Network monitor will confirm.

Why not ES256?

WebCrypto supports it but the PEM parsing is fiddly. Coming in a future version.

Will this validate the token after signing?

Use our JWT Decoder to verify the signature with the same secret / public key.

JWT vs PASETO?

PASETO is a JWT alternative that fixes many JWT security pitfalls. JWT is far more widely supported.