JWT Encoder (HS256)

All tools

Paste Header and Payload JSON, enter a secret, and generate a signed JWT.

For testing only. Do not paste production secrets.

What is a JWT?

JWT (JSON Web Token) is a compact token format used for authentication and authorization. A token consists of three parts: header, payload, and signature.

This tool generates a signed JWT using HS256 (HMAC SHA-256) locally in your browser. Your data is not sent to the server.

How to use the JWT Encoder

  1. Paste JSON into Header and Payload.
  2. Enter the secret used for signing (HS256).
  3. Click Generate to produce a JWT token.
  4. Use Copy to copy the result.

Tips

  • HS256 uses a shared secret. Anyone with the secret can verify and sign tokens.
  • If you need asymmetric keys, use RS256/ES256 (not included in this tool).
  • JWT is not encryption. Payload data is readable after Base64URL decoding.

Related guides

Learn the workflow behind this tool and what to check next.

JWT generation checks for safe test tokens

Use generated JWTs for local testing, documentation, and mock flows. Production tokens should still be created and signed by your auth service.

Use test secrets

Use non-production secrets and clearly marked sample claims when creating tokens for demos or automated tests.

Set realistic claims

Include exp, iat, iss, aud, sub, roles, and scopes that match the behavior you want to test.

Verify algorithm

Make sure the algorithm matches your validator and avoid accepting tokens with unexpected alg values.

Keep samples harmless

Do not generate tokens with real user IDs, customer data, or production permissions for screenshots or docs.

Privacy and usage

Built for quick checks without an account

Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.

No login required

You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.

Local when possible

Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.

Keep secrets out

Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.

Related tools

You may also find these tools useful.

JWT Encoder FAQ

Is JWT the same as encryption?
No. JWT is a signed token format. The payload is not encrypted and can be decoded.
Why does verification fail on my server?
Common causes are a different secret, different algorithm, or payload/header formatting differences.
Does Toolinix send my token to a server?
No. Generation happens locally in your browser.