Zero Snippet

JWT encoder online — HS256 HMAC signatures for API mocks and auth QA

Use this free JWT encoder online to create HS256-signed JSON Web Tokens from editable header and payload JSON. The tool forms the standard JWS compact serialization (three Base64URL segments), then signs header.payload with HMAC-SHA256 (HS256) using your UTF-8 secret—ideal when you need a Bearer token sample for Postman, curl, or integration tests that mirror symmetric-key APIs. Signing runs in your browser via Web Crypto; use the Upload controls to pull JSON fixtures from disk and the Copy control on the result to move tokens into clients. Cross-check issued tokens with our JWT decoder, tighten JSON with the JSON formatter & validator, and browse every security & encryption tool from the home page.

Security note: use only test secrets here. Anyone who knows the HS256 secret can forge tokens. Never ship production keys in the browser or commit them to repos.

Why teams need a JWT encoder during development

Microservices and SPAs increasingly rely on JSON Web Tokens for stateless authorization. When a gateway expects Authorization: Bearer with a symmetric HS256 token, engineers need a fast way to mint signed samples that match their test fixtures—without deploying a full identity server. A JWT generator HS256 workflow fills that gap: you control registered claims like exp, iss, and aud, plus private names your API understands. This page is not a substitute for a production OAuth 2.0 / OpenID Connect issuer—it helps you reproduce token shape and signature math locally.

How HS256 signing works (short guide)

HS256 uses a shared secret: the same key material signs the token and verifies it on the resource server. The JWT header normally declares alg: HS256. The signing input is the ASCII string of the first two segments joined by a dot, without a trailing dot. The signature is the HMAC-SHA256 digest of that string, Base64URL-encoded as the third segment. If you need raw HMAC digests outside the JWT layout, compare results with the HMAC generator in the same security toolkit.

How to use this JWT encoder (step by step)

  1. Edit the header JSON. The default includes typ: JWT and HS256; this tool enforces HS256 signing even if you omit alg. Optional: click Upload next to the field to load a saved header JSON file from your machine.
  2. Edit the payload JSON with claims your tests require—often sub, iat, and exp as Unix seconds. Upload a JSON file if you keep golden payloads in repo fixtures.
  3. Enter the secret string your verifier will use. It must match byte-for-byte what the server expects (UTF-8 encoding). Use disposable values for screenshots and demos.
  4. Click Sign & build JWT. Copy the token with the Copy button (copy icon) and attach it to HTTP requests. Decode the same string with the JWT decoder to confirm header and payload round-tripped.

Keywords and search intents this page covers

Developers often search for an online JWT maker, HS256 token generator, JWT sign with secret, or HMAC JWT tool when wiring middleware or mocking APIs. Related workflows include Postman JWT presets, Express jwt.verify smoke tests, and teaching the difference between symmetric and asymmetric signing. For Base64URL building blocks outside the JWT wrapper, use the Base64 encoder & decoder.

Security and limitations

This utility only implements HS256. It does not issue refresh tokens, manage JWKS rotation, or validate aud / iss for you—your API must still enforce policy. Encrypted tokens (JWE) and RSA/ECDSA algorithms are out of scope. Never paste production secrets into shared machines; prefer CI secrets stores and short-lived test keys. When evaluating password strength for human-chosen shared secrets, use the password strength meter before reusing strings across environments.

Related security & encryption tools

Highlights from the catalog (also listed on the home page security section):

  • Password Strength MeterScore password entropy, estimate crack time, and get practical hardening tips.
  • bcrypt Hash GeneratorGenerate bcrypt hashes with configurable cost for secure password storage testing.
  • AES Encrypt & DecryptEncrypt and decrypt text with AES-256 and a passphrase—runs fully in your browser.
  • RSA Key Pair GeneratorCreate 1024–4096 bit RSA public/private key pairs locally for demos and dev workflows.
  • CSP BuilderToggle Content-Security-Policy directives and copy a header value ready for your server.
  • Security Headers CheckerAnalyze security-related HTTP headers on any URL with graded guidance to harden responses.
  • HMAC GeneratorCreate HMAC-SHA256 or HMAC-SHA512 signatures with a secret for webhook and API verification.
  • SSL Certificate DecoderPaste PEM certificates to read subject, issuer, SANs, and validity windows.
  • .htaccess GeneratorAssemble common Apache .htaccess rules for redirects, HTTPS, caching, and access control.

Frequently asked questions

What does this JWT encoder do?
It builds a three-part JSON Web Token (JWS compact) from JSON header and payload objects, then signs the "header.payload" string with HMAC-SHA256 (HS256) using your secret. The output is a standard JWT string you can paste into Authorization headers, Postman, or test harnesses.
Which algorithms are supported?
Only HS256 (HMAC with SHA-256) is supported here—the header's alg field is set to HS256 for signing. RS256, ES256, and asymmetric keys require different key material and are not implemented on this page.
Is my secret sent to your servers?
No. Signing runs in your browser with the Web Crypto API. The secret and JSON never leave your device unless you copy them elsewhere or your browser syncs clipboard history to the cloud.
Is this safe for production tokens?
This page is for development and API testing. Production systems should issue tokens from a hardened authorization server, store secrets in a vault, rotate keys, and validate audience, issuer, expiry, and signature on every request. Do not embed long-lived shared secrets in client apps.
Why does my API reject the token this tool generated?
Common causes: wrong secret, clock skew on exp, audience (aud) or issuer (iss) mismatch, or the API expecting a different algorithm (for example RS256). Compare your claims with the provider docs and verify the exact signing key the resource server uses.
How is this different from your JWT decoder?
The decoder reads existing tokens without verifying signatures. This encoder creates a new HS256-signed JWT from JSON you supply. Use the decoder to inspect tokens returned by identity providers; use this encoder when you need a quick signed sample for integration tests.
Can I upload header and payload from files?
Yes. Use the upload controls next to each field to load .json or text files from disk. Files are read locally in the browser—nothing is uploaded to our infrastructure.
Which related tools should I use?
Verify HMAC behavior with the HMAC generator, format JSON with the JSON formatter, debug tokens with the JWT decoder, and explore Base64URL segments with the Base64 encoder—all linked from this site’s developer and security tool sections.