> JWT Generator

// Learn how JSON Web Tokens are built step by step

← Back to JWT Decoder

Configuration

Algorithm

HMAC using SHA-256 — symmetric, shared secret

Header (JSON) — editable

Payload (JSON) — editable

Add Claim

Custom Claim

Secret / Key

Step-by-Step JWT Generation

Step 1: Header Encoding

READ-ONLY

{
  "alg": "HS256",
  "typ": "JWT"
}

↓Base64Url Encode↓

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9

Step 2: Payload Encoding

READ-ONLY

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

↓Base64Url Encode↓

ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAiSm9obiBEb2UiLAogICJpYXQiOiAxNTE2MjM5MDIyCn0

Step 3: Signature Creation

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAiSm9obiBEb2UiLAogICJpYXQiOiAxNTE2MjM5MDIyCn0

↓HMAC-SHA-256 with secret↓

Step 4: Final Token

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9.ewogICJzdWIiOiAiMTIzNDU2Nzg5MCIsCiAgIm5hbWUiOiAiSm9obiBEb2UiLAogICJpYXQiOiAxNTE2MjM5MDIyCn0.

How JWT Validation Works

Split — The token is split into three parts: header, payload, and signature.

Decode — The header and payload are Base64Url-decoded to reveal JSON.

Verify Signature — The signature is recomputed using the header, payload, and the secret/key. If it matches the token’s signature, the token is authentic.

Check Claims — Standard claims like exp, nbf, and iss are validated against current time and expected values.

Trust — If all checks pass, the payload can be trusted.