JWT Generator

Generate and sign JSON Web Tokens with custom claims and expiry time. Supports HS256 algorithm.

Algorithm

Secret

Issuer (iss)

Subject (sub)

Audience (aud)

Expiry (hours)

Custom Claims (JSON)

Frequently Asked Questions

What is the difference between HS256 and RS256?

HS256 uses a shared secret (symmetric). RS256 uses a private/public key pair (asymmetric). RS256 is more secure for distributed systems.

Can I set custom claims in the payload?

Yes, add any JSON data to the Custom Claims field. Common claims: iss (issuer), sub (subject), aud (audience), exp (expiry).

Is this production-ready?

This is a demo tool for testing. For production, use server-side JWT signing with proper cryptographic libraries like jsonwebtoken or jose.

Algorithm	Type	Key	Best for
HS256	Symmetric (HMAC)	Shared secret	Single-service auth where both sides share the same key
HS384	Symmetric (HMAC)	Shared secret	Same as HS256 with longer hash (384-bit)
HS512	Symmetric (HMAC)	Shared secret	Same as HS256 with longest hash (512-bit)
RS256	Asymmetric (RSA)	Private/public key pair	Distributed systems; token issuer signs, consumers verify
ES256	Asymmetric (ECDSA)	Private/public key pair	Like RS256 but smaller keys/signatures, faster
PS256	Asymmetric (RSA-PSS)	Private/public key pair	Stronger padding than RS256; preferred for high-security

User logs in — client sends credentials to the auth endpoint.
Server signs a JWT — server validates credentials, creates a payload with sub, exp, and any custom claims, signs it with the secret/private key.
Client stores the JWT — in memory (safest), localStorage, or an HttpOnly cookie.
Client sends JWT with each request — Authorization: Bearer <token> header.
Server verifies the signature — if valid and not expired, request is authorized.

This tool is intended for development and testing only. For production applications, always sign JWTs server-side using a well-audited library: