JWT Encoder

Create and sign JSON Web Tokens locally. Private by design—everything runs in your browser.

Header & Payload

Tip: "typ": "JWT" will be set automatically if missing.

Claim helpers (optional)

minutes

Sign & Output

Tip: Press Ctrl/Cmd + Enter to create a JWT. You can also drop a .json file into the payload box.

About this tool

This encoder assembles a JWT by JSON-encoding your header and payload, Base64URL-encoding both, and signing the byte string header.payload (when applicable) using the Web Crypto API.

Signing support

  • none: no signature (use with caution).
  • HS256: HMAC SHA-256 with a secret string.
  • RS256: RSA PKCS#1 v1.5 with SHA-256 using a PEM private key (PKCS#8 or PKCS#1).

Privacy

Everything runs locally in your browser—no uploads. For highly sensitive secrets or keys, consider using the offline bundle or a dedicated local environment.

5 Fun Facts about Creating JWTs

Whitespace changes the signature

Even pretty-printing the same JSON changes the bytes you sign—tiny spacing tweaks create a totally different signature.

Canonical quirks

“none” is truly none

alg none omits the signature entirely. It’s handy for debugging but shouldn’t leave local/dev environments.

Debug only

HS256 vs RS256 changes trust

HS256 means everyone verifying also knows the secret; RS256 lets many services verify with just the public key.

Trust model

Short TTLs tame replay

Many teams mint access tokens for 5–15 minutes and rely on refresh tokens to keep sessions alive.

Expiry habit

kid is a key breadcrumb

A kid header points verifiers to the right key in a JWK set—without it, they may brute-try every candidate.

Rotation helper

Explore more tools