JWT Generator

JWT Generator

JWT generator online for testing. Create unsigned or demo JWT tokens for UI testing. NOT for production—generates test tokens with custom header and payload.

Production-Ready Tokens

Uses the jose library for cryptographically signed JWTs.

📋

Header

HMAC (Symmetric)

🔑

Secret Key

📦

Payload

Quick Add

More claims...

Quick Tips

  • ✅ Tokens are cryptographically signed with HMAC
  • ✅ Add exp for auto-expiration
  • ⚠️ Keep secrets secure — never share publicly

Features

  • Creates test JWTs with a custom header and payload
  • Handy for mocking auth responses while building a UI
  • Add common claims like sub, exp, and iat with a click
  • Everything is generated in your browser — no server round-trip
  • Copy the finished token straight into your API client or tests

Common Use Cases

  • Faking a logged-in user while developing a frontend
  • Producing sample tokens for documentation or bug reports
  • Testing how your app handles expired or malformed tokens
  • Experimenting with different claim shapes before wiring up a real issuer

Why this is for testing only

A real JWT is trustworthy because its signature was created with a secret (or private key) that only the issuer holds. Tokens made in a browser tool cannot be secured that way — the secret would be exposed — so anything generated here is meant strictly for local development and testing.

Use these tokens to exercise your own code paths: how the UI behaves when a user is "logged in", how your app reacts to an expired exp, or how it handles missing claims. Never point production systems at self-generated tokens, and never treat them as a substitute for a proper auth server.

Examples

Valid - A minimal test payload
{ "sub": "test-user", "name": "Test User", "iat": 1516239022 }
Valid - Add an exp to test expiry handling
{ "sub": "test-user", "exp": 1516242622 }

Frequently Asked Questions

Can I use these tokens in production?
No. They are for local testing only. Production tokens must be signed by your auth server with a secret that is never exposed to the browser.
How do I test that my app rejects expired tokens?
Generate a token with an exp timestamp in the past, send it to your app, and confirm it responds with an authentication error instead of granting access.
What algorithm do the test tokens use?
They are intended for UI and flow testing rather than real verification, so treat them as demo tokens. For anything that must verify a signature, use a proper server-side library.