JWT Generator

JSON Web Tokens are the dominant stateless auth format on the modern web — every OAuth/OIDC flow, every Auth0 / Cognito / Firebase session, every API gateway. Generating a JWT locally is useful for testing handlers, mocking auth in dev environments, and reproducing edge cases you've seen in production. It is not safe to use locally generated JWTs for anything in production.

JWT structure

Three base64url-encoded parts separated by dots: header.payload.signature.

• Header. {"alg":"HS256","typ":"JWT"} — the signing algorithm.
• Payload. The "claims": sub (subject), iat (issued at), exp (expiry), iss (issuer), aud (audience), plus your own.
• Signature. HMAC-SHA256(secret, header.payload) for HS256, or an RSA/ECDSA signature for RS256/ES256.

Picking an algorithm

• HS256 (HMAC). Symmetric, single shared secret. Fast and simple. Good for monoliths or services where the issuer and verifier are the same code.
• RS256 (RSA). Asymmetric. The issuer signs with a private key; verifiers use the public key. Right for any system where the verifier shouldn't be able to mint tokens (microservices, third-party APIs).
• ES256 (ECDSA P-256). Same as RS256 but with smaller keys and signatures. Recommended for new systems.
• none. Means no signature. Never accept this in production — many "JWT bypass" CVEs come from libraries that allow it.

Standard claims to set correctly

• exp — expiry, Unix epoch seconds. Mandatory in any real system.
• iat — issued at. Useful for revocation policies.
• nbf — not before. Token is invalid until this time.
• iss — issuer. Hardcode and verify exactly.
• aud — audience. Verify your service is the intended audience.
• sub — subject (typically user ID).
• jti — unique JWT ID. Useful for one-time-use tokens.

Common pitfalls

• Long-lived tokens with no revocation. Once issued, JWTs are valid until they expire. Use short expiries (5–15 minutes) plus refresh tokens for sessions.
• Storing in localStorage. XSS-readable. Prefer HttpOnly cookies with SameSite=Strict.
• Storing sensitive data in payload. The payload is base64-encoded, not encrypted. Anyone can read it.
• Verifying without checking alg. Some libraries trust the alg in the header, allowing an attacker to switch from RS256 to HS256 and sign with the public key as a secret.
• Not validating iss and aud. Without these checks, a JWT minted for service A can be replayed against service B.

This generator produces test JWTs in your browser — never use the output in production. For deeper SSO context, see SAML vs OIDC vs OAuth2 in 2026.

Frequently Asked Questions