JWT Encoder — Create & Sign JWT Tokens Online
JWT Encoder lets you build and sign JSON Web Tokens directly in your browser. Provide a JSON payload and a secret key, choose your HMAC algorithm (HS256, HS384, or HS512), and receive a signed JWT. The Web Crypto API handles all signing locally — your payload and secret are never transmitted to a server. The output panel shows the full token alongside the decoded header and payload for easy verification.
JWT Signing Algorithms
JWTs can be signed with symmetric algorithms (HMAC) or asymmetric algorithms (RSA, ECDSA). SmartDevBox supports the three HMAC variants: HS256 uses HMAC-SHA256, HS384 uses HMAC-SHA384, and HS512 uses HMAC-SHA512. HMAC signing uses a single shared secret — the same key is used to sign and verify. This is appropriate for tokens consumed by the same service that issued them, or by services that securely share the secret.
Asymmetric algorithms (RS256, ES256) use a private key for signing and a public key for verification. They are preferred for tokens distributed to third parties: the issuer keeps the private key secret but publishes the public key (via a JWKS endpoint), allowing any consumer to verify tokens without being able to create them. SmartDevBox currently supports HMAC algorithms only.
Building a Test Token
For API testing, build the minimum viable payload: {"sub":"test-user","iat":<current Unix timestamp>,"exp":<current + 3600>}. The iat claim tells the server when the token was issued; the exp claim sets the one-hour expiry. Add any custom claims your API expects (e.g. "role":"admin", "org_id":"acme"). Use a test secret (e.g. "test-secret-do-not-use-in-production") and sign with HS256.
Paste the resulting token into the JWT Decoder to verify the header and payload look correct before using it in your API client. Check the exp timestamp using the Unix Timestamp Converter to confirm the expiry is what you intended.
Common Use Cases
- Generating test tokens for JWT-protected API endpoints
- Creating tokens for development and staging environments
- Testing how your application handles different claims (exp, iss, sub)
- Learning and experimenting with JWT structure and signing
Frequently Asked Questions
Which JWT signing algorithms does SmartDevBox support?
SmartDevBox supports HMAC-based symmetric algorithms: HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). Asymmetric algorithms (RS256, ES256) are not yet supported.
What payload format does the JWT Encoder expect?
The payload must be a valid JSON object. For example: { "sub": "user123", "iat": 1700000000, "exp": 1700003600 }. The iat (issued-at) claim is added automatically if not included.
Privacy & Security
This tool runs entirely in your browser using client-side JavaScript. No data is sent to a server — your input never leaves your machine. SmartDevBox has no account system, no usage tracking, and no paid tier. See the Privacy & Security page for full details.
Related Tools
- JWT DecoderDecode JWT tokens and inspect header, payload, and signature instantly. Free, no sign-up. Works without the signing secret. 100% client-side.
- Base64 DecoderDecode any Base64 string back to plain text instantly in your browser. Free, no sign-up, 100% client-side. Supports standard and URL-safe Base64.
- Hash GeneratorCompute MD5, SHA-1, SHA-256, and SHA-512 hashes for any text. Free, no sign-up, 100% client-side.
- JSON FormatterFormat and pretty-print JSON instantly in your browser. Validates syntax and shows error location. Free, no sign-up, 100% client-side.