JWT Builder & Sign (HS256, Web Crypto)

When you need to build a JWT

• Test API auth: need a valid token to test a protected endpoint — generate one and paste into Postman/curl.
• Mock auth response: frontend devs don't have to wait for backend /login — fake the JWT response.
• Learn JWT: experiment with claims, signatures — see how auth actually works.
• Debug expired tokens: regenerate a token with a longer exp.

JWT structure

<header>.<payload>.<signature>

Header:    base64url(JSON header)         # alg, typ
Payload:   base64url(JSON claims)         # sub, exp, iat, custom...
Signature: base64url(HMAC-SHA256(
  header + "." + payload, secret
))

Standard claims (RFC 7519)

• iss (issuer): who issued the token.
• sub (subject): user_id the token is about.
• aud (audience): which service the token is for.
• exp (expiration time): Unix timestamp when the token expires.
• nbf (not before): earliest Unix timestamp the token is valid.
• iat (issued at): Unix timestamp when the token was created.
• jti (JWT ID): unique ID — prevents replay attacks.

⚠️ Security warnings

• HS256 vs RS256: HS256 uses a symmetric secret — issuer and verifier share the key. RS256 uses asymmetric (private/public) keys — more secure for microservices. This tool only supports HS256.
• Weak secrets: avoid short secrets (< 32 bytes). Production should use a random 256-bit secret from crypto.randomBytes(32).
• DO NOT store sensitive data in the payload: the payload is just base64-encoded (NOT encrypted) — anyone can read it. No passwords, no full credit cards.
• Production must sign server-side: this tool runs in your browser — pasting a production secret would leak it. Use for test/dev only.

Related

• JWT Decoder — verify the token you just built
• UUID / Hash / Base64
• Unix Timestamp — convert exp/iat to dates
• HTTP Status Reference — 401 vs 403
• All tools