Question 1

How do I create a JWT token?

Accepted Answer

Pick HS256. Add subject and expiration. Provide a secret key. Click Generate. Copy the token. Use it in your app for testing.

Question 2

What's the difference between HS256, RS256, and ES256?

Accepted Answer

HS256: shared secret. Same key signs and verifies. Simple. RS256: public/private keys. Private signs, public verifies. Multiple services can verify without sharing the signing key. ES256: like RS256 but smaller keys. Use HS256 for simple cases. RS256/ES256 for OAuth/OIDC.

Question 3

Is it safe to generate JWTs in a browser?

Accepted Answer

For testing, yes. Everything happens locally with Web Crypto API. Nothing sent to a server. NEVER use production secrets here. This is for testing and learning only. Generate production tokens on your backend.

Question 4

What claims should I include in my JWT?

Accepted Answer

Minimum: sub (user ID) and exp (expiration). Better: add iss (issuer), aud (audience), iat (issued at). Custom claims: roles, permissions, email, whatever you need. Keep it small — JWTs are sent with every request.

Question 5

How long should a JWT be valid?

Accepted Answer

Access tokens: 15min to 1hr. Refresh tokens: 7-30 days. Shorter = more secure (compromised tokens expire fast). Longer = better UX (fewer renewals). Balance security and convenience.

Question 6

What is the 'none' algorithm and why is it dangerous?

Accepted Answer

No signature. Anyone can modify the token. Extremely dangerous. Attackers can change user ID, permissions, anything. Never use in production. Only for local testing when you know you have zero security.

Question 7

How do I use the generated code snippets?

Accepted Answer

After generating, get code in JavaScript, Python, PHP, Go, Java, C#. Shows you how to make the same token in your language. Copy-paste into your project.

Question 8

What are token templates and how do I use them?

Accepted Answer

Pre-filled forms for common cases: Basic Auth, API Access, User Session, OAuth, Refresh Token. Pick one, customize, generate. Saves time and shows best practices.

Question 9

How do I generate RSA or ECDSA key pairs?

Accepted Answer

Using RS256/ES256? Click 'Generate Key Pair' for test keys. WARNING: Test keys only. Never use browser-generated keys in production. For production, use openssl or ssh-keygen on your server.

Question 10

What's the difference between standard and custom claims?

Accepted Answer

Standard claims (RFC 7519): iss, sub, aud, exp, nbf, iat, jti. Have specific meanings. Custom claims: your own fields like roles, email, permissions. Standard = interoperability. Custom = your business logic.

JWT Generator

How to Use

Frequently Asked Questions

Related Tools

Base64 Encoder/Decoder

Cryptographic Hash & Encoding Toolkit

UUID Generator & Toolkit

JWT Decoder