Create test JWTs without spinning up your backend
You’re building an auth flow. The frontend needs a token to test with, but the backend auth service isn’t ready yet. Or you’re debugging why your API rejects a specific token and need to generate one with known-good claims to isolate the problem.
Enter your payload as JSON, provide a secret key, click generate. You get a properly signed HS256 JWT that’ll validate against any JWT library, jsonwebtoken, jose, PyJWT, whatever, using the same secret. The signing uses the browser’s Web Crypto API, so your secret key never leaves your machine.
Building your payload
The standard claims you’ll use most:
sub, who the token is about (usually a user ID).
iss, who issued it (your auth service).
exp, when it expires (Unix timestamp). Set this or your token lives forever.
iat, when it was issued.
aud, who it’s intended for.
Throw in whatever custom claims your app needs: role, permissions, org_id, email. It’s just JSON.
When this is useful
API testing. Generate tokens with different roles to test your authorization logic. Admin token, regular user token, expired token, see how your API handles each one.
Frontend prototyping. Your login flow needs a token to store and send. Generate one with realistic claims so you can build the UI before the real auth is wired up.
Debugging. Your API returns 401 and you can’t figure out why. Generate a fresh token with known claims and a known secret. If that works, the problem is in your token generation code, not your validation code.
Documentation. Create realistic JWT examples for your API docs.
One important note
This tool is for development and testing. Production tokens should come from your backend auth service with proper key management, token rotation, and security controls. Don’t use a browser-generated JWT in production.
FAQ
Which algorithms?
HS256 (HMAC-SHA256), the most widely used symmetric signing algorithm. Supported by every major JWT library.
Is the signature valid?
Yes. The Web Crypto API generates a cryptographically correct signature. Any JWT library using the same secret key will verify it.
Does my secret key leave the browser?
No. All signing happens client-side via the Web Crypto API. No server calls.
Can I decode JWTs?
Split on the dots, Base64URL-decode the header and payload. Or use a dedicated JWT decoder.