What algorithm does this use?

It signs with HS256 — HMAC using SHA-256 — via the browser's Web Crypto API. The header is fixed to {"alg":"HS256","typ":"JWT"}.

Is it safe to enter a real secret?

Signing happens entirely in your browser using Web Crypto; the secret and payload are never sent over the network. As always, avoid pasting production secrets into any browser tab on a shared machine.

Can it verify or decode tokens?

This tool only signs tokens. To inspect an existing token use the JWT decoder, or the JWT claims explainer to understand each claim.

JWT Generator (HS256)

Generate a signed HS256 JWT

Testing an API that expects a Bearer token often means hand-signing a JWT. This tool builds and signs a JSON Web Token with the HS256 (HMAC-SHA256) algorithm in your browser: provide a JSON payload and a shared secret, and it emits a standard header.payload.signature token ready to drop into an Authorization: Bearer header.

How it works

A JWT is built from three parts, each step running locally via the Web Crypto API:

Header — fixed to {"alg":"HS256","typ":"JWT"} and Base64URL-encoded.
Payload — your JSON claims, Base64URL-encoded.
Signature — HMAC-SHA256(header + "." + payload, secret), Base64URL-encoded.

The three parts are joined with dots to produce the final token. The same secret is required to verify the token later, since HS256 is symmetric.

Example

A payload of { "sub": "1234", "name": "Sam" } signed with the secret my-secret produces a token of the form:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0Iiwi...
.<signature>

The first segment decodes to the header, the second to your payload, and the third is the HMAC signature that any party holding my-secret can recompute to verify the token.

The signing uses the browser’s native Web Crypto API — your secret and claims never leave the page, so it is safe for local development and integration testing.