JWT Generator Guide: Creating HS256/RS256 Signed Tokens
What Is JWT
JSON Web Token (JWT) is a compact, self-contained token format widely used for authentication and information exchange:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDgwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
↑ Header ↑ Payload ↑ Signature
A JWT consists of three Base64URL-encoded strings separated by
..
Three-Part Structure Explained
Header
{
"alg": "HS256",
"typ": "JWT"
}
| Field | Meaning |
|---|---|
alg |
Signature algorithm: HS256, RS256, etc. |
typ |
Token type, always JWT |
Payload
{
"sub": "1234567890",
"name": "John Doe",
"role": "admin",
"iat": 1700000000,
"exp": 1700008000
}
| Field | Meaning | Required |
|---|---|---|
sub |
Subject (user ID) | Recommended |
iat |
Issued At timestamp | Recommended |
exp |
Expiration time | Required |
iss |
Issuer | Optional |
aud |
Audience | Optional |
nbf |
Not Before (effective time) | Optional |
Signature
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
The signature ensures the token hasn't been tampered with, but the Payload is NOT encrypted by default—never put sensitive data in it!
HS256 vs RS256
| Comparison | HS256 | RS256 |
|---|---|---|
| Algorithm type | Symmetric (HMAC) | Asymmetric (RSA) |
| Key | Shared secret (string) | Public key + Private key |
| Verifier | Needs the same secret | Only needs the public key |
| Use case | Single service, internal microservices | Multi-service, third-party verification |
| Key management | Simple, but higher leak risk | More secure, public key can be shared |
Recommendation: Use HS256 for monoliths, RS256 for microservices/open APIs.
Using the JWT Generator
Step 1: Open the Tool
Visit the JWT Generator to enter the token creation interface.
Step 2: Select Signature Algorithm
- Single service: Select HS256 and enter a shared secret
- Multi-service: Select RS256 and paste a private key
Step 3: Fill in the Payload
Add claims in the payload editor:
{
"sub": "user_10086",
"name": "John Doe",
"role": "admin",
"iat": 1700000000,
"exp": 1700008000
}
iatandexpuse Unix timestamps (seconds). The tool supports visual expiration time configuration.
Step 4: Generate the Token
Click "Generate". The tool automatically:
- Base64URL-encodes the Header
- Base64URL-encodes the Payload
- Computes the signature using the key
- Concatenates into a complete JWT string
Step 5: Verify the Token
Paste the generated token into the JWT Decoder and confirm:
- Header and Payload decode correctly
- Signature verification passes
exptime hasn't passed
Expiration Time Best Practices
| Scenario | Recommended exp | Reason |
|---|---|---|
| Access Token | 15-30 minutes | Short-lived, reduces leak risk |
| Refresh Token | 7-30 days | Long-lived, used for renewal |
| Email verification link | 1-24 hours | One-time use |
| API Key | No exp or 1+ year | Long-term credential |
Best practice: Use Access Token + Refresh Token dual-token approach.
Base64URL Encoding Notes
JWT uses Base64URL encoding, which differs from standard Base64:
| Difference | Standard Base64 | Base64URL |
|---|---|---|
+ |
+ |
- |
/ |
/ |
_ |
Padding = |
Yes | No |
When using the Base64 Encode/Decode tool, make sure to select URL-safe mode.
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Signature verification failed | Key mismatch | Confirm generation and verification use the same key |
| Token expired | exp time has passed | Regenerate or use Refresh Token |
| Payload garbled | Not decoded with Base64URL | Use the JWT Decoder |
| Sensitive data exposed | Payload not encrypted | Never put passwords or secrets in Payload |
| RS256 verification failed | Public key mismatch | Confirm the public key matches the private key |
Summary
JWT is a core technology for modern web authentication. Understanding the three-part structure and the difference between HS256/RS256, and correctly configuring claims and expiration, are key to secure JWT usage. The JWT Generator and JWT Decoder let you complete the full token creation, decoding, and verification workflow right in your browser.