JWT Encoder - Create JSON Web Tokens Online
Free online JWT encoder. Generate JSON Web Tokens with custom header, payload, and secret key. Supports HS256 algorithm. Perfect for development and testing.
The interactive JWT encoder tool is loading. Use the configuration above to create tokens.
For production use, we recommend using server-side JWT libraries that support proper key management.
What is JWT Encoder?
A JWT Encoder creates JSON Web Tokens by combining a header, payload, and cryptographic signature. JWTs are widely used for authentication and information exchange in modern web applications.
How JWT encoding works:
- Header - Specifies the token type (JWT) and signing algorithm (e.g., HS256)
- Payload - Contains claims (user data, permissions, metadata)
- Signature - Created by signing the encoded header and payload with a secret key
The three parts are Base64URL-encoded and joined with dots:
header.payload.signature
JWTs are self-contained - the payload includes all necessary information, making them stateless and ideal for distributed systems.
Examples
Basic authentication token
Input:
Header: {"alg": "HS256", "typ": "JWT"}
Payload: {"sub": "123", "name": "John", "iat": 1516239022}
Secret: your-256-bit-secretOutput:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiSm9obiIsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cToken with expiration
Input:
Payload includes: {"exp": 1735689600} (expires Jan 1, 2025)Output:
Token includes exp claim for automatic expiration validationAdmin role token
Input:
Payload: {"sub": "admin", "role": "admin", "permissions": ["read", "write", "delete"]}Output:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsInBlcm1pc3Npb25zIjpbInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdfQ.signatureCreate JWT in Node.js
const jwt = require('jsonwebtoken');
// Create a token
const payload = {
sub: '1234567890',
name: 'John Doe',
role: 'user'
};
const token = jwt.sign(payload, process.env.JWT_SECRET, {
expiresIn: '1h', // Token expires in 1 hour
issuer: 'my-app', // Identifies the issuer
audience: 'my-api' // Intended recipient
});
console.log('Token:', token);
// Create with custom claims
const adminToken = jwt.sign(
{ sub: 'admin', role: 'admin', permissions: ['read', 'write'] },
process.env.JWT_SECRET,
{ expiresIn: '15m' } // Short-lived for security
);Common Mistakes
- βIncluding sensitive data in payload - JWT payloads are Base64 encoded, not encrypted. Anyone can decode them.
- βUsing weak secret keys - Use at least 256 bits of entropy for HS256 secrets.
- βNot setting expiration - Always include exp claim to limit token lifetime.
- βHardcoding secrets in client code - Secrets should only be on the server, never in frontend code.
- βAccepting tokens without verification - Always verify the signature and claims before trusting a token.
π Security Note
JWT payloads are readable by anyone with the token. Never include passwords, API keys, or sensitive personal data in the payload. For sensitive applications, consider encrypting the payload (JWE) or using opaque tokens.
Frequently Asked Questions
What is a JWT token?βΌ
A JWT (JSON Web Token) is a compact, URL-safe token format for transmitting claims between parties. It consists of three parts: header (metadata), payload (claims/data), and signature (integrity verification). JWTs are commonly used for authentication and authorization in web applications.
What's the difference between JWT encoding and encryption?βΌ
Encoding (JWT) makes data compact and URL-safe but doesn't protect confidentiality - anyone can decode a JWT. Encryption (JWE) makes data unreadable without a decryption key. Use standard JWTs for authentication claims, but encrypt sensitive data separately.
What claims should I include in a JWT?βΌ
Standard claims: sub (subject/user ID), iat (issued at), exp (expiration), nbf (not before), iss (issuer), aud (audience). Custom claims for your application: roles, permissions, user metadata. Keep payloads minimal - larger tokens increase bandwidth and parsing time.
How long should a JWT secret key be?βΌ
For HS256: minimum 256 bits (32 bytes). Use the JWT Secret Generator on our homepage to create secure keys. For RS256: use 2048-bit or larger RSA keys. Never use passwords, dictionary words, or predictable sequences as secrets.