JWT Generator & Creator — Complete Guide to JSON Web Tokens 2026

📅 March 10, 2026 ⏱ 16 min read 📁 Security

What is a JWT?
JWT Structure
JWT Claims Explained
Signing Algorithms
How to Create a JWT
Security Best Practices
Best JWT Tools
FAQ

JSON Web Tokens (JWT) are the standard for secure authentication and authorization. This complete guide teaches you how to generate, sign, and validate JWT tokens for modern web applications.

Try Free JWT Generator →

What is a JWT?

A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are widely used for:

Authentication — User login sessions
Authorization — Permission verification
Information exchange — Secure data transfer
API authentication — Service-to-service communication

Key benefit: JWTs are self-contained. The token itself contains all the information needed to verify authenticity — no database lookup required.

JWT Structure

A JWT consists of three parts separated by dots: header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

1. Header

Contains token type and signing algorithm:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

Contains claims (user data and metadata):

{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "[email protected]",
  "iat": 1516239022,
  "exp": 1516242622
}

3. Signature

Verifies the token hasn't been tampered with:

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  your-256-bit-secret
)

JWT Claims Explained

Registered Claims (Standard)

Claim	Name	Description
`iss`	Issuer	Who created the token
`sub`	Subject	Token subject (usually user ID)
`aud`	Audience	Intended recipient
`exp`	Expiration	Token expiry time
`nbf`	Not Before	Token valid from
`iat`	Issued At	Token creation time
`jti`	JWT ID	Unique token identifier

Public Claims (Custom)

{
  "sub": "user-123",
  "name": "Jane Doe",
  "role": "admin",
  "permissions": ["read", "write", "delete"],
  "tenant_id": "org-456"
}

⚠️ Security Warning

Never store sensitive data (passwords, credit cards) in JWT payload. Payloads are encoded, not encrypted — anyone can decode them!

Signing Algorithms

HS256 (HMAC SHA-256)

Best for: Single-service authentication

{
  "alg": "HS256",
  "typ": "JWT"
}

Uses a shared secret. Both parties must know the secret.

RS256 (RSA SHA-256)

Best for: Multi-service, OAuth providers

{
  "alg": "RS256",
  "typ": "JWT"
}

Uses public/private key pairs. More secure for distributed systems.

ES256 (ECDSA SHA-256)

Best for: Mobile and IoT (smaller signatures)

Uses elliptic curve cryptography. Shorter signatures than RSA.

How to Create a JWT

Step 1: Create Header

const header = {
  alg: 'HS256',
  typ: 'JWT'
};

Step 2: Create Payload

const payload = {
  sub: 'user-123',
  name: 'John Doe',
  role: 'admin',
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + (60 * 60) // 1 hour
};

Step 3: Generate Signature

const secret = 'your-secret-key';
const signature = HMACSHA256(
  base64UrlEncode(header) + '.' + base64UrlEncode(payload),
  secret
);

Step 4: Combine Parts

const jwt = base64UrlEncode(header) + '.' +
            base64UrlEncode(payload) + '.' +
            base64UrlEncode(signature);

Complete Example (Node.js)

const jwt = require('jsonwebtoken');

const token = jwt.sign(
  {
    userId: 'user-123',
    role: 'admin'
  },
  'your-secret-key',
  { expiresIn: '1h' }
);

console.log(token);

Security Best Practices

1. Use HTTPS Always

Never transmit JWTs over unencrypted connections.

2. Set Short Expiration Times

// Good: Short-lived tokens
{ expiresIn: '15m' }

// Bad: Long-lived tokens
{ expiresIn: '365d' }

3. Store Tokens Securely

// ❌ Bad: Vulnerable to XSS
localStorage.setItem('token', token);

// ✅ Better: HttpOnly cookie
res.cookie('token', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'strict'
});

4. Validate Everything

try {
  const decoded = jwt.verify(token, secret);
  // Check expiration
  // Check issuer
  // Check audience
  // Check permissions
} catch (err) {
  // Token invalid
}

5. Implement Token Refresh

// Access token: 15 minutes
// Refresh token: 7 days
// Refresh endpoint rotates tokens

💡 Pro Tip

Use a JWT blocklist (Redis) to revoke tokens before expiration for logout or security incidents.

Best JWT Tools

1. DevKits JWT Generator

Best for: Creating and testing JWTs

Create signed tokens
Decode and verify
Multiple algorithms
Privacy-focused (client-side)

Try DevKits JWT Generator →

2. jwt.io Debugger

Best for: Token inspection

3. jose (JavaScript Library)

Best for: Production JWT handling

npm install jose

Frequently Asked Questions

Can JWTs be decrypted?

JWTs are signed, not encrypted. Anyone can read the payload. For encryption, use JWE (JSON Web Encryption).

How long should a JWT last?

Access tokens: 15-60 minutes. Refresh tokens: 1-7 days. Shorter is more secure.

Should I store JWTs in localStorage?

No. Use httpOnly, secure cookies to protect against XSS attacks.

What's the difference between HS256 and RS256?

HS256 uses a shared secret (simpler). RS256 uses public/private keys (more secure for distributed systems).

Last updated: March 10, 2026