JWT Generator
Create test JWTs from a header, payload and secret for auth flows, API work and local debugging.
Back to all tools on ToolForge
Header
Payload
Secret
JWT Token
About JWT Generator
This JWT generator creates JSON Web Tokens from custom header, payload, and secret key inputs using HS256 HMAC signing. It's designed for developers who need to quickly generate test tokens for authentication flows, API testing, and local development without setting up a full backend signing infrastructure.
JWT Structure Explained
A JSON Web Token consists of three parts separated by dots:
xxxxx.yyyyy.zzzzz | | | | | +-- Signature (HMAC-SHA256 signed) | +--------- Payload (claims/data) +--------------- Header (algorithm info)
- Header: Contains algorithm (alg) and token type (typ). Typically
{"alg":"HS256","typ":"JWT"} - Payload: Contains claims - user data, roles, expiration, etc.
- Signature: Created by signing
base64Url(header) + "." + base64Url(payload)with the secret
Common JWT Claims
| Claim | Name | Description |
|---|---|---|
sub |
Subject | User or entity identifier |
iss |
Issuer | Token issuer (your service name) |
aud |
Audience | Intended recipient of token |
exp |
Expiration | Token expiry (Unix timestamp) |
iat |
Issued At | Token creation time (Unix timestamp) |
nbf |
Not Before | Token becomes valid after this time |
jti |
JWT ID | Unique token identifier |
JWT Algorithm Comparison
| Algorithm | Type | Key | Use Case |
|---|---|---|---|
HS256 |
HMAC + SHA-256 | Symmetric (shared secret) | Single service auth (this tool) |
HS512 |
HMAC + SHA-512 | Symmetric (shared secret) | Higher security requirements |
RS256 |
RSA + SHA-256 | Asymmetric (private/public) | Distributed systems, OAuth 2.0 |
ES256 |
ECDSA + P-256 | Asymmetric (elliptic curve) | Mobile apps, IoT devices |
Example JWT Payload
{
"sub": "1234567890",
"name": "John Doe",
"email": "[email protected]",
"role": "admin",
"iat": 1516239022,
"exp": 1516242622
}
Security Best Practices
- Use HTTPS: Always transmit JWTs over encrypted connections
- Short expiration: Set brief token lifetimes (15-60 minutes)
- Strong secrets: Use at least 256-bit random secrets for HS256
- Don't store sensitive data: Payloads can be decoded by anyone
- Implement refresh tokens: Use short-lived access tokens with refresh rotation
- Validate signatures: Never trust unsigned or improperly verified tokens
- Check all claims: Verify exp, iat, iss, aud as appropriate
Common Use Cases
- API Authentication: Stateless auth for REST/GraphQL APIs
- Session Management: Replace server-side sessions with signed tokens
- Microservices: Pass user context between services
- SSO (Single Sign-On):strong> Share authentication across domains
- Testing: Generate test tokens for development (this tool)
Testing JWT Tokens
When testing with this generator:
- Set header algorithm to match your backend (default: HS256)
- Add required claims to payload (user ID, roles, expiration)
- Use the same secret key your backend uses for verification
- Copy the generated token to Postman, curl, or your test suite
- Verify your backend accepts and correctly parses the token
How to Generate JWT Tokens
- Configure header: The default header
{"alg":"HS256","typ":"JWT"}works for most cases. - Add payload claims: Include user data, roles, and standard claims (sub, exp, iat).
- Enter secret key: Use the same secret your application uses for token verification.
- Click Generate: The tool signs the token using HMAC-SHA256 algorithm.
- Copy the token: Use the generated JWT in your Authorization header as
Bearer <token>.
Tips for JWT Testing
- Include an
expclaim to test expiration handling - Use meaningful
subvalues to identify test users - Add custom claims for role-based access testing
- Keep a list of test tokens for different user scenarios
- Never use production secrets in development tools
Frequently Asked Questions
- What is a JWT and how does it work?
- A JWT (JSON Web Token) is a compact, URL-safe token format consisting of three parts: header (algorithm and token type), payload (claims/data), and signature (verification). The signature is created by signing the base64-encoded header and payload with a secret key, ensuring the token hasn't been tampered with.
- What is the difference between HS256 and RS256?
- HS256 uses symmetric encryption - the same secret key signs and verifies tokens. RS256 uses asymmetric encryption - a private key signs, and a public key verifies. HS256 is simpler for single-service apps; RS256 is better for distributed systems where verification happens separately from signing.
- What claims should I include in a JWT payload?
- Common registered claims: 'sub' (subject/user ID), 'iss' (issuer), 'aud' (audience), 'exp' (expiration), 'iat' (issued at), 'nbf' (not before). Custom claims can include user roles, permissions, or application-specific data. Avoid putting sensitive data in payloads - JWTs are encoded, not encrypted.
- How do I validate a JWT token?
- Validation involves: 1) Verify the signature using the secret/public key, 2) Check the 'exp' claim hasn't passed, 3) Verify 'iss' matches expected issuer, 4) Check 'aud' if audience validation is required, 5) Optionally verify 'nbf' (not before) claim. Never trust unsigned tokens.
- Can JWTs be decrypted to reveal sensitive data?
- Yes. JWT payloads are base64url encoded, not encrypted. Anyone can decode a JWT to read its contents. Never include passwords, credit cards, or other sensitive data in JWT payloads. Use JWE (JSON Web Encryption) if you need encrypted tokens.
- What is JWT token expiration and why is it important?
- Token expiration (the 'exp' claim) limits how long a token remains valid. Short-lived tokens reduce the impact of token theft. Best practice: use short expiration (15-60 minutes) for access tokens, implement refresh token rotation for long-term sessions.