What does this JWT builder actually do?

It assembles a JSON Web Token from three parts — a base64url-encoded header, a base64url-encoded payload of your claims, and an HMAC signature. The signature is computed in your browser with the Web Crypto API over the string 'header.payload' using your secret, then appended as the third segment.

Is my secret or token sent anywhere?

No. Everything runs locally in your browser. The secret, the claims and the finished token never touch a server, and there are no network requests. You can disconnect from the internet and the tool still works.

Which signing algorithms are supported?

The HMAC family — HS256, HS384 and HS512. These use a single shared secret to both sign and verify. RS256 and ES256 use a private/public key pair and are intentionally out of scope for a client-side builder, since your private key should never live in a web page.

How do I set an expiry on the token?

Turn on the exp time claim and choose a lifetime preset such as 1 hour or 7 days. The tool reads the current time, adds the lifetime in seconds, and writes the result as the exp claim (a numeric Unix timestamp). It also shows the human-readable expiry date so you can sanity-check it.

What is the difference between iat, nbf and exp?

iat is 'issued at' — when the token was created. nbf is 'not before' — the token is invalid until this time. exp is 'expiry' — the token is invalid after this time. All three are numeric Unix timestamps in seconds, and most JWT libraries enforce nbf and exp automatically during verification.

My secret is base64-encoded — will the signature still match?

Yes, if you tick 'Secret is base64url-encoded'. Many systems store the HMAC key as base64. When that box is on, the tool decodes the secret back to raw bytes before signing, so the signature matches what your server produces. Leave it off to treat the secret as plain UTF-8 text.

Can I add custom or nested claims?

Absolutely. Type any claim key and set its type to string, number or boolean, or choose 'json' to paste a raw object or array — for example a permissions list or a nested metadata object. Invalid JSON is flagged before signing so you never produce a malformed token.

How can I check the token is correct?

Paste the result into the companion JWT Decoder to read the header and payload back, or into your own verifier with the same secret. Because signing is deterministic, the same header, payload and secret always produce the same token.

JWT Builder — Gera Tools

A JWT builder that lets you assemble a JSON Web Token claim by claim and sign it with HS256, HS384 or HS512 right in your browser. It is for developers who need a valid token to test an API, seed a fixture, reproduce a bug, or learn how the three JWT segments fit together — without pasting a secret into an online service that might log it.

How it works

A JSON Web Token is three base64url-encoded parts joined by dots: header.payload.signature. The header declares the signing algorithm and token type. The payload carries your claims — both registered ones like sub, iss, aud, exp and any custom data you need. The signature proves the token has not been tampered with.

This tool builds all three. You edit the header (algorithm plus an optional field such as kid), add payload claims with the right JSON type, and toggle the standard time claims iat, nbf and exp. When you enter a secret, the tool base64url-encodes the header and payload, joins them, and runs HMAC over that string using the browser’s native crypto.subtle Web Crypto primitive. The resulting MAC is base64url-encoded and appended as the third segment. The token re-signs automatically every time you change a claim or the secret, so the output is always current.

Because HMAC is symmetric, the same secret both signs and verifies. Your server can validate the token by recomputing the signature with the identical secret and comparing — which is exactly what libraries like jsonwebtoken, jose or PyJWT do under the hood.

Example

Suppose you want a one-hour admin token for a staging API. Add sub = user-123, role = admin, set the issuer iss = https://gera.tools, enable iat and exp with a 1 hour preset, and use the secret your-256-bit-secret. The builder produces a token whose payload decodes to:

Claim	Value
sub	user-123
role	admin
iss	https://gera.tools
iat	1717000000 (now)
exp	1717003600 (now + 3600s)

Copy it as Authorization: Bearer ... and paste straight into your HTTP client. Flip the algorithm to HS512 or change the expiry and the signature updates instantly.

Every byte is computed locally — the secret and the finished token are never uploaded or stored on any server.