Spoold Logo
/

JWT Sign / Create

Guide

Header

Payload

Secret

Signed Token

Enter header, payload, and secret to generate a JWT.

Guide: JWT Sign / Create

↑ Back to tool

What is this tool?

This JWT creator lets you build and sign JSON Web Tokens (JWTs) directly in your browser. Enter a JSON header, payload with any claims, and a secret key, and the tool produces a signed token using HMAC-SHA256 (HS256), HMAC-SHA384 (HS384), or HMAC-SHA512 (HS512). The output is color-coded by part (header in red, payload in purple, signature in cyan) so you can see the JWT structure. With auto-sign enabled, the token updates as you type. All signing uses the browser's Web Crypto API—your secret and token never leave your machine.

Why use a JWT signer?

Developers often need to create test JWTs when building auth flows, testing API middleware, mocking user sessions, or verifying token validation logic. Instead of writing code, installing CLI tools, or using external services that may log your secret, this tool lets you build a signed JWT in seconds—entirely in the browser.

Build & Test

  • • Create test tokens for API development
  • • Mock user sessions with custom claims
  • • Set iat/exp with one click for time testing

Learn & Debug

  • • Understand JWT structure (header.payload.signature)
  • • See how algorithm changes affect the token
  • • Pair with the JWT Decoder to verify round-trip

Key features

  • HMAC algorithms — HS256, HS384, and HS512 via the browser's Web Crypto API. Select the algorithm from a dropdown; the header's alg field updates automatically.
  • Auto-sign — Token updates in real-time as you edit the header, payload, or secret. Toggle auto-sign off if you prefer manual signing.
  • Color-coded output — Header (red), payload (purple), and signature (cyan) are displayed in different colors so you can visually parse the three JWT parts.
  • Set iat/exp — One-click button to set iat (issued at) to now and exp (expiry) to now + 1 hour.
  • Show/hide secret — Toggle visibility of the secret field like a password input.
  • Copy token — Copy the full signed JWT to the clipboard with one click.
  • Copy base64 header — Copy just the base64url-encoded header for debugging or manual inspection.
  • JSON validation — Shows an error if the header or payload is not valid JSON, preventing malformed tokens.
  • Local storage persistence — Your header, payload, secret, and algorithm are saved in localStorage and restored on next visit.
  • 100% client-side — Your secret and token never leave your browser. Signing uses the native Web Crypto API.

How this tool works (step-by-step)

  1. Edit the header — The header JSON contains the alg and typ fields. Changing the algorithm dropdown auto-updates the header.
  2. Edit the payload — Add any standard claims (sub, name, iat, exp) or custom fields. Use "Set iat/exp to now" for quick time values.
  3. Enter a secret — Type your HMAC signing secret. Show/hide it as needed.
  4. Get the signed token — The JWT appears below, color-coded by part. Copy it to use in API requests, test harnesses, or debugging.

Real-world examples

Basic auth token

Create a token with standard claims for testing an API that requires Bearer authentication:

// Header
{ "alg": "HS256", "typ": "JWT" }

// Payload
{
  "sub": "user-123",
  "name": "Jane Doe",
  "role": "admin",
  "iat": 1706600400,
  "exp": 1706604000
}

// Secret: your-256-bit-secret

// Output → eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOi...

Token with custom claims

Add any custom claims your API needs—permissions, tenant IDs, feature flags, etc. The tool accepts any valid JSON object as the payload.

Use cases

ScenarioHow this tool helps
API developmentCreate test Bearer tokens with specific claims to test your API endpoints and middleware.
Auth flow testingGenerate tokens with different roles, permissions, or expiry times to test authorization logic.
Mock user sessionsBuild JWTs that simulate logged-in users with specific user IDs, names, and roles.
Learning JWT structureSee how header, payload, and signature fit together. Change the algorithm and watch the token change.
Verify with decoderSign a token here, then paste it in the JWT Decoder to verify the round-trip works correctly.

Best practices for JWT creation

  • Always set expiry — Include an exp claim. Tokens without expiry are valid forever if the secret isn't rotated.
  • Use strong secrets — For HMAC, use a randomly generated secret of at least 256 bits. Avoid dictionary words or short secrets.
  • Keep payloads minimal — JWTs are sent with every request. Include only the claims your API needs (user ID, role, permissions). Avoid putting sensitive data in the payload.
  • Prefer HS256 for symmetric — HS256 is the most widely supported HMAC algorithm and is suitable for most server-to-server scenarios.
  • Test expired tokens — Set exp to a past timestamp to verify your API correctly rejects expired tokens.
  • This tool is for testing — Use server-side libraries (jsonwebtoken, jose, or your framework's auth module) for production token generation.

Common mistakes & how to avoid them

  • Invalid JSON in header or payload — The tool shows an error if either field is not valid JSON. Check for trailing commas, unquoted keys, or missing brackets.
  • Empty secret — A secret is required for HMAC signing. The tool will show an error if the secret field is empty.
  • Mismatched algorithm — If your API expects HS256 but you sign with HS512, verification will fail. Ensure the algorithm matches what your backend expects.
  • Confusing iat with expiat is "issued at" (when the token was created), exp is "expiry" (when it becomes invalid). Both are Unix timestamps in seconds, not milliseconds.
  • Using test tokens in production — Tokens created here are real, valid JWTs. Never use a test secret in production environments.

FAQ

Can I use RSA or ECDSA?

Currently this tool supports HMAC algorithms only (HS256, HS384, HS512). For RSA (RS256) or ECDSA (ES256) tokens, use a CLI tool like jose, jsonwebtoken, or jwt.io.

Is my secret safe?

Yes. The secret never leaves your browser. Signing is done locally via the Web Crypto API. The secret is stored in localStorage for convenience but never sent to any server.

Can I decode a JWT here?

Use the companion JWT Decoder tool to decode and inspect existing tokens. You can sign here and decode there to verify the round-trip.

Is this tool for production use?

This tool is designed for testing and development. For production token generation, use a server-side library like jsonwebtoken (Node.js), PyJWT (Python), or your framework's auth module.

What is base64url encoding?

JWT uses base64url encoding (not standard base64). It replaces + with -, / with _, and removes trailing = padding. This makes JWTs safe to use in URLs and HTTP headers.

Can I add custom claims?

Yes. The payload is any valid JSON object. Add any custom fields like roles, permissions, tenant_id, or feature_flags.

What happens if my JSON is invalid?

The tool validates the header and payload as JSON. If either is invalid, an error message is shown and no token is generated.

Is it free?

Yes. The JWT signer is completely free with no sign-up required. All signing runs in your browser.

Related terms

This tool is commonly searched as JWT generator, JWT creator, create JWT online, sign JWT, JWT builder, HMAC JWT, HS256 token generator, JWT signer online, generate JSON Web Token, and JWT maker. It complements the JWT Decoder for a complete encode/decode workflow—all in the browser.

Similar tools

You might also find these developer tools useful:

Conclusion

A JWT signer is essential for any developer working with token-based authentication. This tool lets you build JWTs with any claims, sign with HMAC (HS256/384/512), and see the color-coded result—all in the browser with no sign-up, no server, and no risk of exposing your secret. Pair it with the JWT Decoder for a complete encode/decode workflow.