Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

JWT Encoder

Build and sign a JSON Web Token from a header and payload. Supports the HMAC, RSA, ECDSA and EdDSA algorithms real systems use, fills in standard claims like expiry for you, and shows the signed token ready to copy.

Everything runs locally in your browser. Your data never leaves your device.

Algorithm and key

HMAC with SHA-256. Signs with a shared secret.

Header and payload

Both parts are editable JSON. Extra header members like kid are kept as written.

exp in

Signed token

Nothing signed yet
Enter or generate a secret above to sign the token. Or fill the whole tool with one click.

Next steps

Send this tool's output straight into another tool.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Convert text into every case at once: title case in the APA, AP, Chicago, MLA, Bluebook, AMA and NYT styles, sentence case, upper, lower, camelCase, snake_case, kebab-case and more.

Count words, characters, sentences, paragraphs, lines and more as you type, with estimated reading and speaking time.

Remove duplicate lines from a list or text, keeping the first occurrence. Optionally ignore case and whitespace, or drop blank lines too.

Replace text in two modes: plain find and replace all, or regular expressions with flag controls and capture group references like $1.

Compare two texts and see every added, removed and changed line highlighted, side by side or inline, with the changed words marked within each line. Ignore case, whitespace or blank lines, read a summary of how much changed, and export the result as a unified diff.

Paste a UUID to see what it carries: version, variant, and for time-based versions the exact timestamp, clock sequence and node. Also shows the raw bytes, the 128-bit integer and the URN form.

Decode Base64 to text or encode text to Base64. Paste into the top box, read the result below, and flip the direction with one click. Handles Unicode correctly, reads URL-safe Base64, and shows binary payloads as a hex dump you can download.

Convert numbers between binary, octal, decimal, hexadecimal and any base up to 36. Type into any field and the others update as you go. Handles huge integers without losing precision and accepts 0x, 0b and 0o prefixes.

About the JWT Encoder Tool

This tool builds and signs a JSON Web Token from an editable header and payload. Pick the algorithm, enter the secret or private key, and the signed token appears color coded by part, checked with a round trip verification against the same key as you type.

Claim helper buttons fill in the timestamps nobody wants to calculate by hand. Set iat or nbf to now, give exp a lifetime in minutes, hours or days, and generate a random jti. One click fills the whole tool with an example payload and a freshly generated key.

What you can do

  • Create and sign a JWT with a custom header and payload.
  • Sign an HS256, HS384 or HS512 token with a shared secret, entered as text or Base64.
  • Sign RS, PS, ES and EdDSA tokens with a PKCS#8 PEM private key or a private JWK.
  • Set iat, nbf and exp claims without calculating Unix timestamps.
  • Generate a test token with a random secret or a fresh key pair in one click.
  • Keep extra header members like kid in the signed token.

How to use the JWT Encoder

  1. 1Pick the signing algorithm. The header's alg field follows automatically, and editing it in the header JSON moves the picker too.
  2. 2Enter the secret for HS tokens, or paste the private key for the RS, PS, ES and EdDSA families. The generate button creates one for you.
  3. 3Edit the header and payload as JSON, and use the claim buttons for iat, nbf, exp and a random jti.
  4. 4Copy the signed token from the bottom section. Every change re-signs and re-verifies it immediately.
  5. 5Check the result in the JWT Decoder, which decodes the token and verifies the signature.

Which algorithm should you pick?

The HS family signs and verifies with the same shared secret, so it fits a single service that does both. HS256 with a random secret of at least 32 bytes is the usual choice, and the built-in generator produces exactly that.

The asymmetric families split the roles: the private key signs, the public key verifies. That lets any number of services verify tokens without being able to create them. RS256 is the most widely supported, ES256 produces much shorter tokens, and EdDSA (Ed25519) is the modern pick where every consumer supports it.

Keys, formats and mismatches

HMAC secrets can be raw text or Base64, and a secret shorter than the hash size gets a gentle warning. Private keys are accepted as PKCS#8 PEM blocks (BEGIN PRIVATE KEY) or private JWKs, and the Key Pair Generator can create a pair and send the private half straight here.

If the key does not match the chosen algorithm, the tool says so by name. An RSA key with ES256 selected, or a P-384 key where P-256 is needed, gets a message naming both sides and the algorithm the key actually signs. Public keys are rejected on purpose, since signing always needs the private half.

The token is signed exactly as configured

Extra header members like kid survive signing untouched, so tokens for systems that route by key id come out right. The payload is minified into the compact token the way JWT libraries produce it, while the pretty printed panes stay as you wrote them.

Credits

Open source does the heavy lifting in this tool. Thank you to:

  • jose

    A complete JavaScript implementation of JWT, JWS, JWE and the rest of the JOSE family.

Everything this site builds on is listed on the credits page.

Hash a password with bcrypt or Argon2 and verify a password against an existing hash. Tune the cost factor, memory, iterations and parallelism, see how long the hash takes, and read the parsed parts of any hash you paste.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Paste raw email headers to trace the Received chain hop by hop with per-hop delays, read the SPF, DKIM and DMARC results, and see every header explained. Helps you spot spoofing and find where a slow email got stuck.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Reveal the characters you can't see in a text: zero-width spaces, non-breaking spaces, bidi marks, control characters and CRLF versus LF line endings. Inspect every occurrence and clean them out with a click.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.