RubanTools
Suggest a Tool

JWT Generator

Create signed HS256 JSON Web Tokens - fill header, payload and secret. All processing in your browser via Web Crypto API.

Build Token
Quick Payload Helpers
Generated Token
Decoded View
Header

                        

                        

                            
Payload

                            

                        

                    

                    

                

            

        

    










    
JWT FAQ

    

        
JWT signing creates a cryptographic signature over the header and payload using a secret (HS256) or private key (RS256). This signature is appended as the third part of the token. When a server receives a JWT, it recomputes the signature and compares - if they match, the token was not tampered with. Signing does not encrypt; anyone can read the payload.

        
HS256 uses a shared secret - both the signer and verifier need the same key. Suitable for single-service auth where one system signs and verifies. RS256 uses RSA key pair - the private key signs, the public key verifies. Suitable for microservices or third-party verification where the signer and verifier are different systems. RS256 is the OAuth 2.0 recommendation.

        
exp (expiration time) is a Unix timestamp after which the token must not be accepted. Always set an expiry - tokens without exp are valid forever if the secret is not rotated. Typical values: 15–60 minutes for access tokens, 7–30 days for refresh tokens. iat (issued-at) and nbf (not-before) provide additional time-based validation.