JWT Builder & Signer
Craft and sign JSON Web Tokens right in your browser using Web Crypto. HMAC-SHA256/384/512 supported.
Verify at /jwt-decoder or use in Authorization: Bearer <token>.
About the JWT Builder & Signer
The JWT Builder & Signer creates and signs JSON Web Tokens (RFC 7519) directly in your browser using the Web Crypto API — no data ever leaves the tab. Pick an HMAC algorithm (HS256, HS384, HS512), paste or edit the payload JSON, provide the shared secret, and get a valid, ready-to-use token in real time. It's the natural companion to our JWT Decoder: decode existing tokens on one page, forge test tokens on the other.
This is a developer-first tool. The payload area is a full JSON editor with sensible defaults (`sub`, `iat`, `exp` pre-filled with real timestamps) so you can build a realistic access token in seconds — for local API testing, for mocking a backend, for reproducing an auth bug, or for teaching how JWTs actually work under the hood. The token panel shows length and byte count so you can size headers appropriately, and there's a one-click copy button to drop it into a `Authorization: Bearer` header.
Because signing runs entirely on the client via Web Crypto, no secret is ever transmitted anywhere. That's the right threat model for a dev tool — you can safely paste production-adjacent secrets to reproduce an issue without worrying about a server-side log capturing them. For asymmetric algorithms (RS/ES/PS families) use a dedicated library server-side; this tool focuses on the symmetric HMAC family that covers the majority of internal APIs.
How to use this tool
- 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
- 2Click the action button to run the check — results are computed instantly from our edge network.
- 3Review the parsed output, key fields and any warnings shown in the result card.
- 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.
Key features
- HS256 / HS384 / HS512 via Web Crypto — no data leaves the browser
- Live re-sign as you edit the payload or secret
- Sensible default payload with real iat / exp timestamps
- One-click copy for Authorization: Bearer usage
- Pairs with JWT Decoder for round-trip debugging