What algorithm does this use?

It signs with HS256 — HMAC using SHA-256 — via the browser's Web Crypto API. The header is fixed to {"alg":"HS256","typ":"JWT"}.

Is it safe to enter a real secret?

Signing happens entirely in your browser using Web Crypto; the secret and payload are never sent over the network. As always, avoid pasting production secrets into any browser tab on a shared machine.

Can it verify or decode tokens?

This tool only signs tokens. To inspect an existing token use the JWT decoder, or the JWT claims explainer to understand each claim.

JWT Generator (HS256)

Sign HS256 JSON Web Tokens in your browser with Web Crypto.

Generate a signed HS256 JWT

Build and sign a JSON Web Token with the HS256 (HMAC-SHA256) algorithm straight in your browser. Provide a JSON payload and a shared secret, and the tool emits a standard header.payload.signature token you can drop into an Authorization: Bearer header for testing.

The signing uses the browser’s native Web Crypto API — your secret and claims never leave the page, so it is safe for local development and integration testing.