We use cookies to understand how DevToolsHub is used and to improve your experience. You can choose which types of cookies to allow.
Generate JWT tokens with custom header and payload.
Loading...
Loading...
A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It is widely used in modern web applications for authentication, authorization, and secure information exchange between parties. A JWT encodes a set of claims as a JSON object and signs them cryptographically, ensuring the token’s integrity can be verified by anyone who holds the signing key.
JWTs are used everywhere — from OAuth 2.0 access tokens and OpenID Connect ID tokens to API authentication, single sign-on (SSO) systems, and microservice-to-microservice communication. They are popular because they are stateless: the server can verify a token without a database lookup, reducing latency and infrastructure complexity. However, this statelessness also means JWTs cannot be easily revoked before their expiration, making proper claim design and key management critical.
Generating a JWT involves three steps: creating the header, creating the payload, and signing the token with a secret key. DevToolsHub’s JWT Generator handles all three steps in your browser — no server round-trips, no data leaving your device.
alg (the algorithm) and typ (the token type, typically "JWT"). The algorithm field is updated automatically when you change the dropdown selection.A JWT consists of three base64url-encoded segments separated by dots:header.payload.signature. Each segment serves a distinct purpose in the token’s structure.
The header is a JSON object that identifies the token type and the cryptographic algorithm used to sign it. The two required fields are alg, which specifies the signing algorithm (e.g., HS256, HS384, HS512), and typ, which is always set to "JWT". The header may also include a kid (key ID) field to help verifiers select the correct key in multi-key environments.
The payload contains claims — statements about an entity and additional metadata. The JWT specification defines seven registered claims: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). You can also include custom private claims such as role,name, or permissions to suit your application’s needs.
The signature is created by taking the base64url-encoded header and payload, joining them with a dot, and computing the HMAC of the resulting string using the secret key. The signature ensures that any modification to the header or payload will invalidate the token. When the recipient verifies the JWT, they recompute the signature using the shared secret and compare it to the one in the token. This tool uses the Web Crypto API to perform HMAC signing directly in your browser, ensuring your secret never leaves your device.
exp claim (15 minutes to 1 hour for access tokens) and use refresh tokens for long-lived sessions.exp and nbf claims, and confirm the iss and aud claims match expected values before trusting any JWT.Loading...