Can I add the iat or exp claims?

Just include iat and exp directly in the JSON payload. The tool does not auto-fill them so you keep full control of the claim set.

JWT Generator — sign HS256 JWTs in-browser

JWT Generator (HS256)

Private by design — runs entirely in your browser

Build an HS256-signed JWT from a JSON payload and a shared secret. Header, body and signature are computed in the browser using Web Crypto.

Why only HS256

HS256 is the most common JWT algorithm and uses HMAC with SHA-256 — Web Crypto handles it natively. RS256 and ES256 require a private key, which we will add as the keypair generator gets richer.

Is the secret sent to a server

No. Signing happens in the browser with crypto.subtle. The secret and the payload never leave this tab.

How long should my secret be

At least 32 bytes (256 bits) for HS256. Shorter secrets weaken the security guarantee, even if the signature still verifies.

Frequently Asked Questions

Why only HS256?: HS256 is the most common JWT algorithm and uses HMAC with SHA-256 — Web Crypto handles it natively. RS256 and ES256 require a private key, which we will add as the keypair generator gets richer.
Is the secret sent to a server?: No. Signing happens in the browser with crypto.subtle. The secret and the payload never leave this tab.
How long should my secret be?: At least 32 bytes (256 bits) for HS256. Shorter secrets weaken the security guarantee, even if the signature still verifies.
Can I add the iat or exp claims?: Just include iat and exp directly in the JSON payload. The tool does not auto-fill them so you keep full control of the claim set.