Skip to main content

JWT Generator

Create JSON Web Tokens with custom headers, payloads, and HMAC-SHA256 signatures. Enter your payload and secret key to generate a signed JWT instantly.

How it works: Enter a JSON payload and secret key. The calculator Base64URL-encodes the header and payload, signs them with HMAC-SHA256 using the Web Crypto API, and outputs a valid JWT token. All processing happens in your browser. No data is sent to any server. Never use weak secrets in production — this tool is for development and testing.
Ad (leaderboard)
Rate this tool
0.0 / 5 · 0 ratings
Share

Embed This Calculator

Add this calculator to your website for free. Copy the single line of code below and paste it into your HTML. The calculator auto-resizes to fit your page.

<script src="https://calchammer.com/embed.js" data-calculator="jwt-generator" data-category="everyday"></script>
data-theme "light", "dark", or "auto"
data-values Pre-fill inputs, e.g. "amount=1000"
data-max-width Max width, e.g. "600px"
data-border "true" or "false"
Or use an iframe instead
<iframe src="https://calchammer.com/embed/everyday/jwt-generator" width="100%" height="500" style="border:none;border-radius:12px;" title="Jwt Generator Calculator"></iframe>

Preview

yoursite.com/blog
Jwt Generator Calculator auto-resizes here
Ad (in_results)

How JWT Generation Works

JSON Web Token generation follows a precise three-step process defined in RFC 7519. First, the header is created as a JSON object specifying the signing algorithm and token type, then Base64URL-encoded. Second, the payload containing claims about the subject is also Base64URL-encoded. Third, the signature is computed by applying the chosen algorithm (typically HMAC-SHA256) to the concatenation of the encoded header and payload using a secret key. The final token joins all three parts with dots: base64url(header).base64url(payload).base64url(signature).

This tool implements the HS256 algorithm, which uses HMAC with SHA-256. The signing input is the string formed by concatenating the Base64URL-encoded header, a dot, and the Base64URL-encoded payload. This string is then signed using the secret key you provide. The resulting binary signature is Base64URL-encoded to form the third part of the JWT.

Ad (in_content)

JWT Structure Deep Dive

The JWT header typically contains two fields. The alg field specifies the cryptographic algorithm used to sign the token. Common values include HS256 (HMAC-SHA256), RS256 (RSA-SHA256), and ES256 (ECDSA-SHA256). The typ field is set to "JWT" to indicate this is a JSON Web Token. While the header can contain additional fields like kid (key ID) for key rotation, the algorithm and type are the essential components.

Building JWT Payloads for Common Use Cases

For API authentication, a typical payload includes the user identifier (sub), issuer (iss), expiration (exp), and issued-at time (iat). A role-based access control payload might add custom claims like "role": "admin" or "permissions": ["read", "write"]. For microservice communication, include the calling service name as the issuer and the target service as the audience. Here is an example payload for an API authentication token: 

{
  "sub": "user-123",
  "iss": "auth.example.com",
  "aud": "api.example.com",
  "exp": 1700000000,
  "iat": 1699996400,
  "role": "editor"
}

Base64URL Encoding vs Standard Base64

JWTs use Base64URL encoding rather than standard Base64. The differences are subtle but important: the + character is replaced with -, the / character is replaced with _, and trailing = padding characters are removed. These changes make the token safe for use in URLs, HTTP headers, and query parameters without additional encoding. Standard Base64 characters like + and / have special meanings in URLs and would require percent-encoding, making the token longer and harder to work with.

HMAC-SHA256 Signing Process

The HMAC-SHA256 signing process begins with the signing input: the encoded header and payload joined by a dot. The secret key is used as the HMAC key, and the signing input is the message. HMAC processes the key through two rounds of SHA-256 hashing with different padding constants to produce a 256-bit (32-byte) signature. This signature guarantees that anyone who possesses the same secret key can verify the token was not modified and was created by a trusted party. Changing even a single character in the header or payload produces a completely different signature.

Frequently Asked Questions

What is a JWT Generator?

A JWT Generator creates tokens by Base64URL-encoding a header and payload, then signing them with HMAC-SHA256 using your secret key. The result is a three-part token: header.payload.signature.

How is a JWT signature created?

The signature is an HMAC-SHA256 hash of the encoded header and payload, computed with the secret key. It proves the token was created by someone who knows the key and has not been modified.

Can I use this JWT in production?

This tool is for development and testing. Production JWTs should be generated server-side using established libraries that handle key rotation and security edge cases.

What claims should I include?

Essential claims are sub (subject), iss (issuer), exp (expiration), and iat (issued at). Add aud (audience) for multi-service environments and custom claims like roles or permissions as needed.

What is the difference between JWT Generator and JWT Decoder?

A generator creates new signed tokens from header, payload, and secret. A decoder extracts and displays the header and payload from an existing token without requiring the secret key.

Related Calculators

JWT Decoder

Decode existing JWTs to view header, payload, signature, and expiration status.

HMAC Generator

Generate HMAC signatures using SHA-256, SHA-384, and SHA-512 algorithms.

Hash Generator

Generate MD5, SHA-256, SHA-384, and SHA-512 hashes from any text input.

Disclaimer: This calculator is for informational and educational purposes only. Results are estimates and should not be considered professional expert advice. Consult a qualified professional before making decisions based on these calculations. See our full Disclaimer.