JWT Builder

Build and sign JSON Web Tokens (JWT) in your browser — HS256/HS384/HS512 HMAC signatures, custom claims, presets for access/session/refresh tokens. Free, no signup.

  • 100% free
  • No signup
  • Runs in your browser
Common uses: jwt builder · jwt generator · create jwt token · sign jwt online · hs256 jwt generator

Used 13.5K times today

Load preset:
Security notes: This tool runs entirely in your browser. Nothing is sent to a server. Still, don't paste production secrets into any web page — including this one. For production tokens, sign server-side with a secret loaded from your environment. RS256 / ES256 (asymmetric) is not offered here because pasting a private key into a web page is never a good idea.

How to Use JWT Builder

  1. 1

    Pick an algorithm and secret

    HS256 is the default for most APIs. Enter your HMAC secret — any string. For production always use a 256+ bit random secret.

  2. 2

    Fill in header and payload

    Or click a preset — Access token (15 min), Session (24 hr), Refresh token (30 days). Edit the JSON to add any custom claims.

  3. 3

    Copy the signed JWT

    The token updates live as you edit. Copy it, or click "Decode in JWT Decoder" to round-trip verify the output.

Frequently Asked Questions

Which algorithms does the JWT builder support?
HS256, HS384, and HS512 (HMAC + SHA-2 with three key sizes) plus "none" for testing. Asymmetric algorithms (RS256, ES256) are intentionally NOT supported because pasting a private key into any web page is a bad practice — always use a server-side library for asymmetric signing.
Is my secret sent anywhere?
No. All signing happens in your browser using the Web Crypto API (crypto.subtle.sign). Nothing is transmitted, logged, or saved. Still, don't paste real production secrets — build production tokens with a library on your own server.
What are iat and exp claims?
"iat" (issued at) is a Unix timestamp of when the token was created. "exp" (expiration) is when it becomes invalid. The presets set both automatically. Add "nbf" (not before) if you want a token to be invalid until a specific future time.
How do I generate a strong HMAC secret?
For HS256 you want at least 256 bits of randomness. Use our Password Generator with length 44 and include all character sets, or generate a 32-byte random value: openssl rand -base64 32.
What is the "none" algorithm?
An unsigned JWT — three base64 parts with an empty signature. Historically caused security issues because some libraries would accept a token switched to alg:none and skip signature verification. Only use "none" for testing. Never accept alg:none server-side in production.

Embed This Tool

Add this tool to your website for free. Just copy and paste the code below:

<iframe src="https://utilko.com/embed/jwt-builder/" width="100%" height="500" frameborder="0" title="JWT Builder"></iframe>

About JWT Builder

The JWT Builder creates signed JSON Web Tokens in your browser using the Web Crypto API. Choose HS256, HS384, or HS512 for HMAC signatures, paste your secret, edit the header and payload as live JSON, and get a ready-to-use JWT with the signature computed instantly.

Presets cover the three most common token types: access tokens (15-minute expiry, aud/iss/scope claims), session tokens (24-hour expiry with role and email), and refresh tokens (30-day expiry with jti for revocation). Every preset is fully editable — add any custom claims you need.

The tool is designed to pair with the JWT Decoder for round-trip testing: build a token here, click "Decode" to verify the output, and iterate quickly on your authentication flows without touching a server. Nothing is transmitted — the signing key stays in your browser.

When to use JWT Builder vs a server library

  • This tool — debug tokens, test API auth flows, generate test fixtures, teach yourself how JWTs work.
  • Server library (jsonwebtoken, jose, PyJWT) — sign real production tokens. Never paste a production secret into a web page.

More Developer Tools Tools