Question 1

What signing algorithms are supported?

Accepted Answer

This tool supports HMAC algorithms (HS256, HS384, HS512) using a shared secret, RSA algorithms (RS256, RS384, RS512) using a PEM private key, and EC algorithms (ES256, ES384, ES512) using a PEM EC private key. For testing, HS256 with a simple secret is the easiest to use.

Question 2

What claims should I include in the payload?

Accepted Answer

Standard registered claims include: sub (subject/user ID), iss (issuer), exp (expiration as Unix timestamp), iat (issued at), nbf (not before), aud (audience), and jti (unique token ID). Custom claims for roles, email, or permissions can be added freely.

Question 3

How do I set an expiration time?

Accepted Answer

Add an 'exp' claim with a Unix timestamp (seconds since epoch). For example, for 1 hour from now: Math.floor(Date.now() / 1000) + 3600. This tool does not auto-fill exp — paste the calculated value into the payload JSON.

Question 4

Can I use the generated JWT in production?

Accepted Answer

You can use the JWT in production if you use a strong secret or a proper RSA/EC key pair. For production, never use 'none' algorithm or weak secrets like 'secret'. Use at least a 256-bit random HMAC secret or a 2048-bit RSA key.

Question 5

What is alg=none?

Accepted Answer

The 'none' algorithm produces an unsecured JWT with no signature. Some libraries incorrectly accept alg=none tokens in contexts where a signed token is required — this is a known JWT vulnerability. Only use alg=none for testing.

Question 6

How do I create a JWT token?

Accepted Answer

Select your signing algorithm (HS256, RS256, etc.), add a secret key or RSA private key, fill in payload claims (sub, exp, iat), and click Sign. The tool generates a signed JWT you can test with APIs and authentication flows. To verify or inspect existing tokens, use DevDecode's JWT Decoder or JWT Debugger.

Question 7

What signing algorithm should I use for JWTs?

Accepted Answer

For most applications, HS256 (HMAC-SHA256) is simplest — it uses one shared secret for both signing and verification. RS256 (RSA) is better for distributed systems where multiple services verify tokens without sharing the signing secret. Avoid none algorithm — unsigned JWTs are never safe. Check your tokens with DevDecode's JWT Debugger.

JWT Encoder — Free Online JWT Token Generator

Frequently Asked Questions

Creating Signed JWT Tokens

Related Tools

JWT Decoder

JWT Debugger

HMAC Generator

API Key Generator