Example
Input (Payload + Secret + Algorithm)
Payload:
{ "sub": "123", "name": "Alice", "exp": 1815000000 }
Secret: your-256-bit-secret
Algorithm: HS256Output (signed JWT)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWxpY2UiLCJleHAiOjE4MTUwMDAwMDB9.q3w...
Note
Uses Web Crypto API HMAC-SHA. Same input → same token (deterministic). As long as the secret is kept safe, the token cannot be forged externally.
Usage / FAQ
When to use
- Quickly issue API auth tokens for tests or local environments
- Re-sign a token with the same secret while debugging via JWT Decoder
- Issue a single token without a backend library
- Set custom `exp`, `sub`, `role` claims for permission testing
- Compare outputs of HS256 / HS384 / HS512
FAQ
- Q.Is RS256 (asymmetric) supported?
- A.Only HS256/384/512 (HMAC) at the moment. RS256, ES256, etc. need PEM key parsing — under consideration as a separate tool. HMAC is sufficient for simple use cases (single secret signs and verifies).
- Q.Is the secret sent anywhere?
- A.No. Both `crypto.subtle.importKey` and `subtle.sign` run entirely in the browser — secret, payload, and resulting token never leave your device.
- Q.Can I use this with production secrets?
- A.Suitable for tests and local debugging. Pasting production secrets into a browser tool isn't generally recommended — clipboard, browser extensions, etc. are an exposure surface. Mint real tokens server-side.
Fun facts
JWT's RFC 7519 defined an algorithm of 'none' — which became the basis of a 2015 Auth0 disclosure: many JWT libraries would happily verify a token whose `alg` header was switched to 'none', bypassing signature checks entirely. Libraries now block 'none' by default.
Auth0 — JWT vulnerabilities (2015)HS256 (HMAC-SHA256) requires both issuer and verifier to share the same secret. RS256 (RSA) splits private/public — only the issuer signs, anyone with the public key can verify. Prefer RS256 when many services need to verify tokens.
RFC 7518 — JOSE AlgorithmsA JWT payload is base64url-encoded, *not* encrypted — anyone can decode it as plaintext. The signature protects against tampering, not disclosure. Don't put passwords, government IDs, or other sensitive PII into the payload.
Auth0 — JWT Claims
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.