Encode a JWT token from header, payload, and secret. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.
Use Cases
Creating test JWTs for local API development and debugging
Generating mock auth tokens for integration test suites
Encoding custom claims for JWT-based feature flag systems
Building sample tokens for API documentation examples
Tips
Set the algorithm and secret to generate a signed JWT
Include standard claims like exp, iat, and sub in the payload
Test your encoding against the expected token format
Fun Facts
JWT (RFC 7519) was authored by Michael Jones, John Bradley, and Nat Sakimura and published in May 2015.
JWTs are not encrypted by default; the payload is merely Base64URL-encoded, so sensitive data should never be stored without JWE.
The jwt.io debugger, maintained by Auth0, receives over 3 million monthly visits, making it the most popular JWT tool on the web.
FAQ
What can I sign with?
HS256 (symmetric, fast — same secret for sign and verify) or RS256 (asymmetric — private key signs, public key verifies). Pick based on who needs to verify.
When to use RS256?
Cross-service verification — the issuer has the private key, consumers only need the public key. Can't forge tokens without the private key.
What claims are required?
None are required by spec, but `exp` (expiration) is strongly recommended to limit damage if a token leaks. Toggle to include common claims.
