Encode JWT — pick algorithm (HS256/HS384/HS512), set header/payload/secret, get token.
- Runs locally
- Category Encoding & Crypto
- Best for Checking small payloads, tokens, hashes, and encoded values quickly.
—
What this tool does
Free online JSON Web Token encoder. Pick HS256, HS384, or HS512, edit the header and payload as JSON, type a secret, and copy the signed token. Signing runs in your browser via SubtleCrypto HMAC — your secret never touches our servers. Use it as the reverse of the JWT decoder for testing APIs locally.
Tool details
- Input
- Text + Structured content
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- No account required
- Open the page and use it; whether results survive refresh depends on the tool.
- Performance budget
- Initial JS <= 18 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Encoding & Crypto · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How JWT Encoder fits into your work
Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.
Encoding jobs
- Checking small payloads, tokens, hashes, and encoded values quickly.
- Preparing values for APIs, URLs, docs, or support tickets.
- Avoiding account-based tools when the input might be sensitive.
Encoding checks
- Do not paste live secrets unless you are comfortable with local browser handling.
- Confirm whether the operation is reversible before sharing the result.
- For hashes, compare the exact algorithm and casing expected by the receiver.
Good next steps
These links move the current task into a more complete workflow.
- 1 JWT Decoder Decode JWT header / payload / signature — verify structure, check exp, copy claims — browser-only Open
- 2 Base64 Encoder & Decoder Encode or decode Base64 — text, files, and Data URLs. Runs entirely in your browser. Open
- 3 MD5 / SHA Hash Generator Compute MD5 / SHA-1 / SHA-256 / SHA-384 / SHA-512 hashes, all five at once, browser-only Open
Real-world use cases
Forge a test token to hit a staging API without standing up an auth server
Your backend verifies HS256 with a shared secret like dev-only-secret. Paste that secret here, set payload to {"sub":"42","role":"admin","exp":1735689600}, and copy the token straight into a curl -H "Authorization: Bearer ...". You skip the whole login dance and still exercise the real middleware path in under 30 seconds.
Reproduce a "signature invalid" bug a teammate reported on their machine
They claim the same payload yields a different token. Sign it here with their exact secret, then compare byte for byte. Nine times out of ten the diff is a trailing newline in their .env secret or JSON whitespace they did not minify. Two minutes of side-by-side encoding beats an hour of Slack back-and-forth.
Build an expired token on purpose to test your 401 handling
To confirm your refresh flow fires, you need a token whose exp is already in the past. Set {"sub":"u1","exp":1577836800} (Jan 2020), sign it, and feed it to your endpoint. A correct server returns 401 and triggers the refresh; if it returns 200, your expiry check is broken and you just caught it before users did.
Demo HMAC tampering in a security talk or onboarding session
Sign a payload with role:"user", show the token, then change the secret by one character and re-sign. The signature changes completely, proving why an attacker who flips role to admin in the payload but lacks the secret can never produce a valid token. It is a concrete 60-second demo that lands better than a slide of math.
Common pitfalls
Pasting a production secret to "just test". This page signs locally, but treat any secret you type as exposed in your clipboard and shell history; use a throwaway dev secret like test-secret-123 instead.
Forgetting exp is Unix seconds, not milliseconds. Writing {"exp":1735689600000} sets expiry to the year 56992 and your token never expires; drop the trailing 000 or use Math.floor(Date.now()/1000)+3600.
Expecting the header alg to be auto-set. If you edit the header JSON to {"alg":"none"} but pick HS256 in the dropdown, the dropdown wins for signing while the header lies; keep alg in the header matching the algorithm you actually selected.
Privacy
Everything happens in your browser. The header, payload, and secret are signed locally with SubtleCrypto HMAC and never sent to any server, logged, or stored. The tool does not sync your secret to the URL, so a shared link never leaks it; only re-typed inputs travel as far as your own tab. Close the tab and nothing remains. Still, your secret lives in clipboard and browser memory while open, so use a disposable dev secret rather than a real production key.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- 555 Timer Calculator Astable f = 1.44/((R1+2R2)C) + monostable t = 1.1RC — pick R1, R2, C in Ω/kΩ and µF/nF, read frequency, duty cycle and pulse width — browser-only
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- Age Difference Calculator The exact gap between two birthdays — years/months/days, percentage, and the date one person is twice the other's age — browser-only
- AI Eval Planner Generate eval cases, pass criteria, and edge cases from an AI feature, risks, and user path.