Create signed JWTs with multiple algorithms or decode existing tokens. View headers, payloads, and claims. All processing happens locally in your browser.
Security Note
All JWT signing happens locally in your browser. Your keys never leave your device. However, you should never use production secrets in online tools - use this only for development and testing.
The secret key is used to sign the JWT. Keep it secure and never share it.
Saved Presets is a Supporter feature.
Tool History is a Supporter feature.
Tool Notes is a Supporter feature.
Select Encode to create a new JWT, or Decode to inspect an existing token. You can switch between modes at any time.
Select an algorithm (HS256 recommended for most cases), enter your payload as JSON, and provide your secret key. Use quick claim buttons to add standard claims.
Click "Encode JWT" to create your token, or paste an existing token in Decode mode. The output is color-coded to show header, payload, and signature.
Use "Decode This Token" to verify your encoded JWT. Copy the token or individual sections as needed. Use "Edit in Encoder" to modify a decoded token.
A JWT consists of three parts separated by dots: header.payload.signature. Each part is Base64URL encoded. The header and payload are JSON objects, while the signature is a cryptographic hash used for verification.
Parse the payload JSON and validate it. Create the header with algorithm and type. Base64URL encode both header and payload. Concatenate with a dot separator. Sign using the specified algorithm and key. Append the signature to create the final token.
HS256/384/512: HMAC with SHA-256/384/512 (symmetric, uses secret key). RS256/384/512: RSA with SHA-256/384/512 (asymmetric, uses key pair). ES256/384/512: ECDSA with P-256/384/521 curves (asymmetric, uses key pair). PS256/384/512: RSA-PSS with SHA-256/384/512 (asymmetric, uses key pair). none: No signature (for testing only, never use in production).
Split the token by the dot (.) separator. Base64URL decode the header (first part). Base64URL decode the payload (second part). Parse both as JSON objects. Display the signature (third part) as-is.
JWTs are encoded, not encrypted - contents are readable. Never store sensitive data in JWTs that you wouldn't want exposed. Always verify signatures server-side before trusting claims. Use short expiration times and refresh tokens. Never use production secrets in online tools.
A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64-encoded parts: header (algorithm info), payload (claims/data), and signature (verification). JWTs are commonly used for authentication and authorization in web applications.
