Skip to tool
All tools
FeuTex · free tools runs in-browser no bloat built by LiMiT

Online JWT Generator (RS256)

Generate JSON Web Tokens signed with RS256 (RSA + SHA-256). Paste your header/payload JSON, sign using an RSA PKCS8 private key, then decode or verify using an RSA SPKI public key. Runs locally in your browser (no network calls).

Category: Developer · URL: /tools/online-jwt-generator-rs256.html

Client-side RS256 JWT signer/decoder/verifier (no network calls). For signing, use a PKCS8 private key PEM (BEGIN PRIVATE KEY).

Header JSON

Payload JSON

RSA Private Key (PKCS8 PEM) — for Generate

Accepted: -----BEGIN PRIVATE KEY----- (PKCS8). Not supported: BEGIN RSA PRIVATE KEY (PKCS1) without conversion.

RSA Public Key (SPKI PEM) — for Verify (optional)

Accepted: -----BEGIN PUBLIC KEY----- (SPKI).

Generated Token (read-only)

Token (for Decode / Verify)

Decoded / Results


      


      

        Related tools:
        Online Base64 Key Generator
        JSON Formatter
        Hash Checker
        YAML to JSON
      

    

  



          

          

            Privacy: runs locally in your browser. No uploads, no tracking scripts.
          

        

      


      
    


    

      
How to use

      
Use this tool to create and validate RS256 JWTs.
  1. Paste Header JSON and Payload JSON.
  2. Paste your RSA Private Key (PKCS8 PEM) and click Generate RS256 JWT.
  3. To inspect a token, paste it into Token (for Decode/Verify) and click Decode.
  4. To validate a token, paste an RSA Public Key (SPKI PEM) and click Verify.
Note: This tool imports -----BEGIN PRIVATE KEY----- (PKCS8) for signing and -----BEGIN PUBLIC KEY----- (SPKI) for verification.

      

        Keywords this page targets (natural cluster): online jwt generator rs256, rs256 jwt generator, jwt rs256 sign online, jwt rsa private key pkcs8, generate jwt with rsa, jwt encoder rs256, jwt decoder rs256, verify jwt signature rs256, rs256 jwt verifier online, jwt header payload editor, jwt add iat exp, jwt kid header, webcrypto rs256 jwt, pkcs8 private key jwt, spki public key verify jwt, jwt invalid signature debug, rsa pem to jwt, jwt token generator browser
      

      

        Secondary intents covered: Sign a JWT using RS256 with a pasted RSA private key, Decode a JWT to inspect header and payload JSON, Verify an RS256 JWT signature using an RSA public key, Add standard claims like iat and exp automatically, Set or test a kid header value for key rotation, Troubleshoot invalid signature / key format issues, Confirm the JWT uses base64url encoding (no padding), Generate a quick token for local/dev testing without server code
      

    


    

      
FAQ

    
What key formats does this RS256 JWT generator support?
Signing supports RSA PKCS8 PEM (BEGIN PRIVATE KEY), and verification supports RSA SPKI PEM (BEGIN PUBLIC KEY).
Why does it say “PKCS1 key detected (BEGIN RSA PRIVATE KEY)”?
WebCrypto imports PKCS8 for private keys here. Convert PKCS1 to PKCS8 (e.g., with OpenSSL) and paste the BEGIN PRIVATE KEY output.
Does this tool upload my keys or tokens?
No. It runs locally in your browser and does not make network requests.
What does the “kid” field do?
kid is a header hint used to select the right public key during verification/rotation; it doesn’t change how RS256 signing works.
What do iat and exp mean, and should I add them?
iat is “issued at” and exp is “expires at” (both in seconds since epoch). Add them if your server expects time-based validation.
Why is verification failing with “INVALID signature”?
Common causes are mismatched keys, changed header/payload after signing, or using the wrong public key format (must be SPKI BEGIN PUBLIC KEY).
Is the header alg forced to RS256?
Yes. The tool sets alg to RS256 to prevent accidental algorithm mismatch between the UI and the signature.