Skip to content
DevKit Labs

JWT Builder & Signer — Create Signed JWTs

Build and sign a JSON Web Token with HS256 or RS256 — in your browser, no key ever uploaded.

About JWT Builder & Signer — Create Signed JWTs

Build a signed JSON Web Token from a custom payload. Edit the claims as JSON, choose your algorithm — HS256 with a shared secret, or RS256 with an RSA private key — and the tool outputs a ready-to-use compact JWT (header.payload.signature) you can copy straight into an Authorization header or test suite.

Signing happens entirely in your browser using the Web Crypto API. Your secret or private key is never sent anywhere, so it's safe to sign with real credentials. Handy buttons add standard claims like iat (issued-at) and exp (expiry) so you can test token expiry quickly.

JWTs are the standard for stateless auth and API tokens. HS256 (HMAC) is symmetric — the same secret signs and verifies — while RS256 is asymmetric, signing with a private key so anyone with the public key can verify without being able to forge tokens. Pair this with the JWT decoder to confirm your token is valid.

Sign with HS256

Input
{ "sub": "1234567890", "name": "Jane Doe", "iat": 1710000000 }
Output
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzEwMDAwMDAwfQ.<signature>

The three dot-separated parts are the header, payload and signature.

Frequently asked questions

Is my secret or private key uploaded?

No. Signing is done locally with the Web Crypto API. Your HMAC secret or RSA private key never leaves the browser, so it's safe to use real keys.

Which algorithms are supported?

HS256 (HMAC-SHA256 with a shared secret) and RS256 (RSASSA-PKCS1-v1_5 with SHA-256, using an RSA private key). These cover the vast majority of JWT use cases.

Where do I get an RSA private key for RS256?

Use the RSA key generator on this site — it produces a PKCS#8 PEM private key you can paste straight in, plus a public key to verify with.

How do I add an expiry?

Click '+ exp (1h)' to add an exp claim one hour ahead, or edit the payload directly. The exp claim is a Unix timestamp in seconds.

Can I verify the token I built?

Yes — paste it into the JWT decoder to see the decoded header and payload and check the signature against your secret or public key.

Related tools

References