Skip to tool
All tools
FeuTex · free tools runs in-browser no bloat built by LiMiT

Online JWT Generator (HS256)

Create and sign JSON Web Tokens using HS256 (HMAC-SHA256). Edit header and payload JSON, set common claims, generate a compact JWT, then decode and verify it—all in your browser.

Category: Developer · URL: /tools/online-jwt-generator-hs256.html
Tip: For pretty-printing only (no signing), use JWT Formatter.
Privacy: runs locally in your browser. No uploads, no tracking scripts.

How to use

Use this tool to generate (sign) and verify HS256 JWTs locally.

  1. Enter your Payload JSON (required) and optionally edit the Header JSON.
  2. Provide a Secret (HMAC key). Optionally add iat and exp.
  3. Click Generate HS256 JWT to produce the token.
  4. To validate, paste a token into Token to decode/verify and click Decode + Verify.
Keywords this page targets (natural cluster): online jwt generator hs256, jwt hs256 generator, create jwt token hs256, sign jwt with secret, hmac sha256 jwt generator, generate jwt online, jwt token builder hs256, jwt header payload editor, jwt exp iat generator, jwt verifier hs256, decode and verify jwt, base64url encode jwt, hs256 jwt online tool, jwt signature generator, jwt secret key signer, jwt validation hs256, create bearer token jwt, jwt generator javascript, jwt claim editor, jwt.io alternative generator
Secondary intents covered: Generate a signed HS256 JWT from header and payload JSON, Add standard claims (iat, exp, nbf, iss, aud, sub) quickly, Decode a JWT into readable header and payload JSON, Verify an HS256 token signature against a shared secret, Copy a generated token for Authorization: Bearer usage, Detect malformed JWT structure or invalid Base64URL, Avoid alg confusion by enforcing HS256 during verification, Create deterministic tokens for tests with fixed timestamps

FAQ

What is HS256 in JWT?

HS256 means the JWT is signed with HMAC using SHA-256 and a shared secret (same key for signing and verification).

Does this tool send my secret or token to a server?

No. Signing and verification run locally in your browser using the Web Crypto API, with no network requests.

Why does verification fail even with the right secret?

The header/payload must match exactly what was signed, and the token must be Base64URL-encoded correctly; any change breaks the signature.

Can I use this to verify tokens signed with RS256 or ES256?

No. This tool supports HS256 only; RSA/ECDSA tokens require public/private keys and different verification logic.

What do iat, exp, and nbf mean?

iat is issued-at time, exp is expiration time, and nbf is “not before” time (all in Unix seconds).

Should I trust the JWT payload content?

Only if the signature verifies with a trusted secret; otherwise the payload can be forged.

Why force alg=HS256?

It prevents algorithm confusion (e.g., a token claiming a different alg) by ensuring generation and verification are strictly HS256.