siutil. JWT Generator
processed in your browser · never uploaded

Algorithm

Payload (JSON)

Claims as a JSON object — e.g. sub, name, iat, exp.

Secret

Signed JWT

 
 
Signing runs entirely in your browser (WebCrypto HMAC). Your secret and payload are never uploaded. HS256/384/512 only.
 
 
   
  
When you're testing an API or auth flow and need a JWT (JSON Web Token) with claims you control, this tool builds a signed token with just paste-and-copy. Write your claims as JSON in the payload box (`sub`, `name`, `iat`, `exp`, or anything you like), enter a secret, and a `header.payload.signature` JWT appears instantly on the right. The header is assembled automatically for the chosen algorithm — `{ "alg": "HS256", "typ": "JWT" }` — so you don't have to write it. You can pick HS256, HS384 or HS512 (all HMAC + SHA, shared-secret signing). The token you get can be pasted straight into the JWT Decoder to inspect it, or dropped into an `Authorization: Bearer ...` header to test or mock an API. Signing is computed with the standard WebCrypto API built into your browser, and your secret, payload and the resulting token are never uploaded, stored, or sent to a server — even a throwaway test key stays on your device. Note that this tool supports the shared-secret **HMAC family (HS256/384/512)** only. Asymmetric algorithms like RS256 / ES256, which use a public/private key pair, are out of scope because pasting a private key into a web page would be unsafe. Issue production tokens with a server-side library, and use this tool for development, debugging and learning.
How to use
  1. Write your claims as JSON in the payload box (use "Sample" to drop in an example with sub, name, iat and exp).
  2. Enter a secret, and pick the algorithm — HS256, HS384 or HS512 — if you need a different one.
  3. A signed JWT is generated instantly on the right. Click "Copy" to grab it. Your secret and token are never sent anywhere.
FAQ
Are my secret and payload uploaded anywhere?
No. Signing is computed entirely in your browser with WebCrypto (the standard crypto API). Your secret, payload and the generated token are never uploaded, stored, or sent to a server — even a test key stays on your device.
Which algorithms are supported?
The shared-secret HMAC family: HS256, HS384 and HS512. Asymmetric algorithms like RS256 and ES256 use a public/private key pair and are out of scope, since pasting a private key into a web page would be unsafe.
How do I add an expiry (exp) to the payload?
Add `exp` to your payload JSON as Unix seconds (seconds since 1970). The "Sample" button fills in `iat` (issued-at) and an `exp` one hour ahead based on the current time, so editing that is the quickest start.
Can I inspect the JWT I generated?
Yes. Paste the token into our JWT Decoder to see the header and payload as formatted JSON, with time claims like exp expanded into readable dates — generate and inspect side by side.
Can I use this to issue production tokens?
This tool is meant for development, debugging and learning. For production, keep your secret safely on the server and issue tokens with a server-side library (such as jsonwebtoken).