Question 1

What is a JWT generator?

Accepted Answer

A JWT generator builds a signed JSON Web Token from a header, a payload of claims, and a signing secret. The token is three base64url-encoded parts separated by dots: header, payload, and signature. You typically need to generate JWTs when testing authentication flows, seeding local databases, or debugging token parsing in your application.

Question 2

Is it safe to generate JWTs in the browser?

Accepted Answer

Yes, as long as you only use test secrets. This tool signs tokens locally using the Web Crypto API, so your secret never leaves your browser. Never paste a production signing secret into any online tool - once a secret is pasted somewhere, treat it as leaked and rotate it in your environment.

Question 3

Why does this tool only support HS256, HS384, and HS512?

Accepted Answer

Those are HMAC algorithms that use a shared symmetric secret. RS256 and ES256 require an asymmetric private key, and pasting a private key into any browser tool is a serious security risk. For RSA or ECDSA signing, use your server-side library (jsonwebtoken, jose, pyjwt) where the private key stays in a secure environment.

Question 4

How do I set expiration on a JWT?

Accepted Answer

Add an exp claim to your payload with a Unix timestamp in seconds. Use the + exp (+1h) or + exp (+24h) buttons to insert a common expiry. Consumers of the token will reject it once the current time passes the exp value. Include iat (issued at) and optionally nbf (not before) for full time-based control.

Question 5

What are the standard JWT claims I should include?

Accepted Answer

The registered claims from RFC 7519 are: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (unique token ID). For auth tokens, sub identifies the user, exp limits token lifetime, and iat helps with rotation. Add custom claims like role or permissions as needed by your app.

Question 6

Can I decode a JWT I just generated?

Accepted Answer

Yes. Copy the token and paste it into the JWT Decoder to inspect the header, payload, and claims. Decoding only reveals the base64url-encoded parts and does not verify the signature, so it works even without the secret. Use it to confirm your generator is producing the structure you expect.

Question 7

What length should my JWT signing secret be?

Accepted Answer

For HS256, use at least 256 bits (32 random bytes). For HS384, use at least 384 bits. For HS512, use at least 512 bits. Generate secrets with a cryptographically secure random source (crypto.randomBytes in Node.js, openssl rand -base64 32, or crypto.getRandomValues in the browser) - never hand-type a secret.

JWT Generator

More Free Tools

Building a SaaS?

JWT Generator

More Free Tools

Building a SaaS?