QuickTooly

Free Online JWT Builder & Encoder

Build and sign JWT tokens instantly in your browser. Select an algorithm, enter a secret key, define your payload claims, and generate a signed JWT — no sign-up, no server, 100% private.

Related Developer Tools

JWT DecoderHMAC GeneratorBcrypt GeneratorQR Code Generator

Last updated: May 22 2026

Reviewed by the QuickTooly Team

JWT Builder Guide

Why Use QuickTooly.com's JWT Builder?

  • 100% client-side: Your secret key and payload never leave your browser — no server involved.
  • Real signing: Uses the Web Crypto API via the open-source jose library — tokens are cryptographically valid, not just base64-encoded.
  • Instant preview: Color-coded header, payload, and signature — same visual format as our JWT Decoder for easy round-tripping.
  • Custom claims: Add, edit, and remove any payload field. Numeric values (timestamps, IDs) are auto-typed correctly.
  • One-click timestamps: "Now" and "+1h" shortcuts set iat and exp to valid Unix timestamps instantly.
  • 100% free: No registration, no watermarks, no usage limits.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe string. A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims — statements about an entity), and the Signature (used to verify the token hasn't been tampered with).

JWTs are widely used in authentication flows (OAuth 2.0, OpenID Connect), API authorization headers, and information exchange between microservices. The signature guarantees integrity: only the party holding the secret key can issue valid tokens.

Supported Algorithms

  • HS256 — HMAC with SHA-256. Most common algorithm; good for most use cases with a shared secret.
  • HS384 — HMAC with SHA-384. Higher security margin; negligible performance difference in modern environments.
  • HS512 — HMAC with SHA-512. Maximum HMAC strength; recommended when handling highly sensitive payloads.

Standard JWT Claims Reference

  • sub (Subject) — Identifies the principal the token is about, e.g. a user ID.
  • iss (Issuer) — Identifies who issued the token, e.g. https://auth.example.com.
  • aud (Audience) — Identifies the recipients the token is intended for.
  • iat (Issued At) — Unix timestamp of when the token was issued.
  • exp (Expiration Time) — Unix timestamp after which the token must not be accepted.
  • nbf (Not Before) — Unix timestamp before which the token must not be accepted.
  • jti (JWT ID) — Unique identifier for the token, useful for preventing replay attacks.

How to Use This JWT Builder

  • Select an algorithm — HS256 is recommended for most use cases
  • Enter your secret key — use a strong random string; toggle 👁 to reveal/hide
  • Edit payload claims — modify the pre-filled fields or add custom ones with "+ Add Field"
  • Set timestamps — click "Now" next to iat and "+1h" next to exp for quick timestamp insertion
  • Click "Build JWT" — your signed token appears with color-coded sections
  • Copy and use — paste into your app, API client, or our JWT Decoder to verify

Frequently Asked Questions

Is this JWT builder safe to use with real secrets?

Everything runs locally in your browser using the Web Crypto API. Your secret key and payload are never sent to any server, logged, or stored. That said, for production secrets we recommend generating tokens programmatically within your secured backend environment.

Are the generated tokens cryptographically valid?

Yes. This tool uses the jose library which signs tokens using the browser's native Web Crypto API. Tokens generated here will pass signature verification in any standards-compliant JWT library (jsonwebtoken, python-jose, java-jwt, etc.) as long as you use the same algorithm and secret.

What is the difference between HS256, HS384, and HS512?

All three are HMAC-based symmetric algorithms — they use the same secret key to sign and verify. The difference is the underlying SHA hash function: SHA-256, SHA-384, or SHA-512. HS256 is the most widely supported default. Use HS512 when you need the highest security margin for sensitive payloads.

How do I verify a JWT I built here?

Paste the token into our JWT Decoder to inspect the header and payload. For full signature verification (confirming the token hasn't been tampered with), use a server-side JWT library with the same secret and algorithm.

Why are numeric values like timestamps auto-converted?

The JWT specification requires that iat, exp, and nbf are numeric (integer) values — not strings. This tool automatically detects and casts numeric input so your token is spec-compliant and compatible with all JWT libraries.

Does this support RS256 or asymmetric algorithms?

Currently this builder supports HMAC algorithms (HS256/384/512) which use a shared secret. Asymmetric algorithms like RS256, ES256, or PS256 require a private/public key pair. Support for those is planned in a future update.