Generate a JWT
Enter a payload and secret, pick an HMAC algorithm, and get a signed token. Signing happens entirely in your browser with crypto-js — the secret is never transmitted. Use the JWT Debugger to decode and verify tokens.
Build and sign a JSON Web Token (HS256/384/512) locally — your secret never leaves the browser.
Enter a payload and secret, pick an HMAC algorithm, and get a signed token. Signing happens entirely in your browser with crypto-js — the secret is never transmitted. Use the JWT Debugger to decode and verify tokens.
HMAC with SHA-256, SHA-384 or SHA-512 (HS256/HS384/HS512). You provide the secret, set the header and payload claims, and the tool produces a correctly signed token.
No. Signing is performed in your browser and the secret never leaves it — but for the same reason, avoid entering real production secrets into any web tool you do not fully control.
Add an exp claim as a Unix timestamp; shortcuts help you set it relative to now. Consumers of the token treat exp as the moment it stops being valid.