Generate JSON Web Tokens (JWT) online with custom headers, payloads, and HMAC-SHA256 signing. This tool runs entirely in your browser — your secret key and data are never sent to any server. Perfect for developers testing authentication flows.
JSON Web Tokens (JWT) are the standard for stateless authentication in modern web applications and APIs. A JWT consists of three Base64-encoded parts: header (algorithm and type), payload (claims like user ID, expiration, roles), and signature (verification that the token wasn't tampered with). This generator creates properly signed JWTs for testing, development, and learning. It supports HMAC algorithms (HS256, HS384, HS512) for symmetric signing and RSA algorithms (RS256) for asymmetric signing. Understanding JWT structure is essential for implementing authentication, debugging auth issues, and securing APIs.
HS256 uses a shared secret (same key signs and verifies) — simpler but the secret must be shared with all verifiers. RS256 uses a private/public key pair — private key signs, public key verifies. RS256 is preferred for distributed systems.
Standard claims: sub (subject/user ID), exp (expiration), iat (issued at), iss (issuer), aud (audience). Add custom claims for roles, permissions, or user data. Keep payloads small — they're sent with every request.
No — JWTs are signed, not encrypted. The payload is Base64-encoded (not encrypted) and can be read by anyone. Never put sensitive data (passwords, secrets) in a JWT. Use JWE (JSON Web Encryption) if you need encrypted tokens.
Access tokens: 15-60 minutes. Refresh tokens: days to weeks. Short-lived access tokens limit damage from theft. Refresh tokens allow getting new access tokens without re-authentication.
Not directly — they're valid until expiration. Workarounds: short expiration + refresh tokens, token blacklist (database check), or token versioning. This is the main tradeoff of stateless authentication.