The JWT-Format Token Generator builds tokens in the exact three-part shape of a JSON Web Token — header.payload.signature, each segment base64url-encoded and joined by dots. It is meant for testing how your application parses, displays, and reacts to tokens, not for issuing real credentials.
How it works
A JWT has three segments. This tool builds them like this:
- Header — a small JSON object such as
{"alg":"HS256","typ":"JWT"}, encoded with URL-safe base64 (the+and/characters become-and_, and trailing=padding is stripped). - Payload — a claims object with
sub,name,iat,nbf,exp,jti,iss, andaud. Theexpclaim is set to the current time plus your chosen minutes. - Signature — random bytes sized to match the algorithm (32 for HS256, 48 for HS384, 64 for HS512), then base64url-encoded.
Because the signature is random rather than computed from a secret, the token is structurally valid but cryptographically invalid.
Claims in the payload
| Claim | Meaning | Set to |
|---|---|---|
sub | Subject — the user or entity the token represents | Your entered subject value |
iat | Issued at — Unix timestamp of issue | Current time |
nbf | Not before — token not valid before this time | Current time |
exp | Expiry — Unix timestamp of expiration | Now + chosen minutes |
jti | JWT ID — unique token identifier | Random UUID |
iss | Issuer | demo-issuer.example.com |
aud | Audience | demo-api.example.com |
The decoded payload is shown below the token so you can confirm exactly what your parser extracts from each dot-separated segment.
Algorithm and signature size
Different algorithms produce different signature lengths. Choosing HS256 means the random signature is 32 bytes (256 bits), HS384 gives 48 bytes, and HS512 gives 64 bytes. The tool sizes the random fill to match, so a decoder that checks the expected signature length will still see the right number of bytes — even though the bytes themselves are not a real HMAC.
Common testing scenarios
- Decoding and display: paste the token as a
Bearervalue and verify your client readssub,name, andexpfrom the payload correctly. Most bugs here are base64url-decoding mistakes or missing padding-strip logic. - Expiry handling: set a short window (for example 1 minute), generate, then wait for the clock to pass
exp. Confirm your middleware rejects the token with401 Unauthorizedand not500. - Switching algorithms: switch between HS256, HS384, and HS512 to confirm your header parser reads the
algfield and routes to the right validation branch. - Claim rendering: set specific
subandnamevalues to test your profile-page logic that reads from the token rather than a database call.
Tips and notes
- The decoded header and payload are shown below the token so you can confirm exactly what your parser will see.
- Use the generated token as a
Bearervalue to test that your client stores, decodes, and renders claims correctly. - To exercise expiry handling, generate with a short window and verify your code rejects the token once
exppasses. - This is never a substitute for a real signed token in production — anything checking the signature will and should reject it. Never use it to authenticate real requests.