JSON Web Token (JWT) Signer

Sign JWTs locally with HMAC secrets or PEM/JWK private keys for API testing and authentication debugging.

Payload and header
Edit the JSON claims and optional protected header fields that will be signed into the token.
Registered claim helpers

Use these controls to update common NumericDate claims in the payload JSON.

Shows a live signing value and writes it to payload.iat only when you sign.

Payload value: 1713139200Signing value: 1713139200

Manual input sets a fixed exp. Quick offsets follow the signing iat and are finalized when you sign.

Payload value: Not setSigning value: Not set

The selected algorithm is always written into the header. Use this field for values such as kid or typ overrides.

Signing key
Choose an algorithm, provide the matching secret or private key, then generate a compact JWT.

HMAC algorithms use a shared secret.

Used for HS256, HS384, and HS512. The secret is not saved to local storage.

Signed token
Copy the compact JWT or inspect the exact header, payload, and signature segments.
No token signed yet
Add a valid JSON payload and signing key, then sign to create a compact JWT.
Download

What is a JWT signer?

A JWT signer creates a compact JSON Web Token by serializing a header and payload, then signing them with a secret or private key. The result is the three-part header.payload.signature token used by many API, OAuth, and session systems.

When to use this tool

  • Create local test tokens for API development, staging environments, and demos.
  • Compare how different algorithms change the token header and signature.
  • Add claims such as sub, iss, aud, exp, iat, scope, or custom application fields without writing a throwaway script.
  • Generate tokens with HMAC shared secrets or with RSA/ECDSA private keys in PKCS#8 PEM or JWK form.

What to check before using a signed token

  • Match the algorithm to the key type: HS* uses a shared secret, RS* and PS* use RSA private keys, and ES* uses EC private keys.
  • Add expiry and audience claims when the receiving service expects them.
  • Keep production private keys out of shared browsers and machines. This tool runs locally, but it cannot protect keys from an already compromised device.
  • Remember that signing is not encryption. Anyone who receives the token can decode the header and payload.