Generating a JWT means encoding a header and your claims, then signing them so the token can be trusted. With HS256, the signature is an HMAC-SHA256 of the header and payload using a shared secret. To create one, put your claims in a generator, add a secret, and sign. Here is how the pieces come together.
Add your claims (sub, name, exp, iat…) as JSON.
Provide the HMAC secret; the same secret verifies the token later.
The header and payload are Base64URL-encoded and signed with HMAC-SHA256.
Copy it into an Authorization header, a test, or a cookie.
How HS256 signing works
The token is base64url(header) + "." + base64url(payload), and the signature is HMAC-SHA256(thatString, secret) appended as a third part. Anyone with the secret can recompute and verify it. The JWT generator does this with the Web Crypto API, so your secret never leaves your browser.
Add an expiry
Include an exp claim — a Unix timestamp — so the token stops being valid after a point. Convert a date to epoch with the timestamp converter. Then inspect the result with the decoder and confirm the signature with the validator.
Tip: Use a long, random secret (32+ bytes) for HS256 — generate one with the password generator. A weak secret makes the signature trivial to forge.
Generate a JWT now
Sign an HS256 token from your claims and secret — free, in your browser.
Open the JWT Generator →Frequently Asked Questions
How do I generate a JWT?
Encode a header and your payload, then sign them with HMAC-SHA256 and your secret. A generator does all three steps.
What algorithm is used?
HS256 (HMAC-SHA256), the most common symmetric JWT algorithm.
Is my secret uploaded?
No — signing happens in your browser with the Web Crypto API.