Back to Toolbox

JWT Builder

Construct, sign, and inspect JSON Web Tokens with HMAC algorithms — entirely in your browser.

Signed Token

click to copy
Header Payload Signature
Fill in the payload and secret below to generate a token.

Algorithm

Payload claims

Signing secret

Decoded

The decoded token parts will appear here.

About the JWT Builder & Decoder

What is a JSON Web Token (JWT)?

JSON Web Tokens (JWT) are an open, industry-standard (RFC 7519) method for representing claims securely between two parties. They are the backbone of modern web authentication and authorization systems. A JWT is essentially a compact, URL-safe string that carries information—such as a user's ID or permissions—that can be verified and trusted because it is digitally signed. This JWT Builder & Decoder allows you to craft these tokens from scratch, decode existing ones, and verify their signatures using HMAC algorithms.

Anatomy of a JWT

A JSON Web Token consists of three distinct parts separated by dots (.), which you can see color-coded in our display:

  • Header (Red): Typically contains the type of token (JWT) and the signing algorithm being used, such as HS256 (HMAC SHA-256).
  • Payload (Yellow): Contains the "claims." These are statements about an entity (typically, the user) and additional data like expiration times (exp) or issuer details (iss).
  • Signature (Green): To create the signature part you have to take the encoded header, the encoded payload, a secret, and the algorithm specified in the header to sign that. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Testing and Debugging Claims

This tool is a powerful sandbox for developers to test their implementation of JWT-based authentication. Use our Claim Shortcuts to quickly add standard registered claims like iat (Issued At) or jti (unique ID). Our integrated Expiry Calculator helps you set precise exp timestamps, while the decoded view provides a real-time relative countdown to ensure your tokens behave as expected in production environments.

Privacy-First Token Management

Security and secrets are the most sensitive parts of your application’s infrastructure. Most online JWT tools send your payload and your "Signing Secret" to a remote server for processing, which is a massive security vulnerability.

Our JWT Builder uses the Web Crypto API to perform all cryptographic signing and hashing locally within your browser. Whether you are generating a random 256-bit secret or pasting a live production key to verify a token, your data stays in your RAM and is never transmitted over the internet.