Sign a JWT using HS256 (HMAC-SHA256) with a JSON payload and shared secret. The tool emits a complete three-part token (header.payload.signature) compatible with standard JWT libraries and the companion decode tool on this site.
How HS256 signing works
- Header JSON (
alg: HS256,typ: JWT) is Base64URL-encoded. - Payload JSON (your claims) is Base64URL-encoded.
- HMAC-SHA256 is computed over
header.payloadusing your secret, then Base64URL-encoded as the signature.
Common use cases
- Prototyping auth flows before wiring a backend issuer
- Generating test tokens for API gateways or GraphQL playgrounds
- Round-tripping with the JWT decoder to inspect header and claims
Limitations
HS256 uses a symmetric secret—anyone with the secret can forge tokens. RS256/ES256 asymmetric signing is not supported here. Payload must be valid JSON. Never use production secrets in browser tools.
Example
Payload {"sub":"123"} with secret secret yields a three-segment JWT decodable by standard libraries.