JWT Encoder
Paste a JSON payload and a secret — get a signed HS256 JWT with iat and exp set automatically.
Free · No credit card · 50 credits/day
How token creation works
Four steps, all automatic.
Build the header
A fixed header {"alg":"HS256","typ":"JWT"} is Base64url-encoded — the algorithm is always HS256.
Inject timestamps
iat (issued at) is set to now. If TTL > 0, exp (expires at) is set to now + TTL seconds.
Encode the payload
Your JSON payload (with iat and exp added) is Base64url-encoded to form the second segment.
Sign with HMAC-SHA256
HMAC-SHA256(header + "." + payload, secret) produces the signature, Base64url-encoded as the third segment.
Choosing the right TTL
Shorter is safer — pair with refresh tokens for seamless UX.
One-time actions — password resets, email verification, payment confirmation.
Access tokens in a refresh-token architecture. Short enough to limit damage if stolen.
Internal APIs and tooling where convenience outweighs the longer exposure window.
Only for API keys with manual revocation. A stolen non-expiring token is valid forever.
HS256 vs RS256 — which should I use?
HS256 — this tool
Symmetric · shared secret
- One secret key used to both sign and verify
- Simpler setup — no key pair needed
- Both parties must have the secret
- Good for monoliths and internal APIs
RS256
Asymmetric · public/private key pair
- Private key signs, public key verifies
- Third parties can verify without the private key
- Publish the public key via JWKS endpoint
- Required for OAuth 2.0 / OIDC / federated identity
Use a strong secret key
A weak HS256 secret can be brute-forced by offline attackers who obtain a signed token. Use at least 32 random characters. Never use common words, passwords or short strings as your JWT secret. Never hardcode the secret in client-side code — it must stay server-side only.
Frequently asked questions
Related developer tools
More tools for tokens, encoding and identifiers.
Create a signed JWT now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →