Developer
All toolsJWT Generator
Sign HS256 JWTs in your browser using the Web Crypto API.
Payload (JSON)
Signed JWT
Token will appear here.
Frequently asked questions
- What's the difference between HS256 and RS256 JWTs?
- HS256 uses one shared secret for signing and verifying, so any party that can verify can also forge tokens. RS256 uses an RSA key pair, letting you publish the public key for verification while keeping the private key locked down.
- How long should the HS256 signing secret be?
- RFC 7518 requires at least 256 bits (32 bytes) of cryptographically strong randomness for HS256. Short or human-typed passwords leave the token vulnerable to offline brute-force attacks.
- Which claims should I include in every JWT I issue?
- At minimum include iss (issuer), sub (subject), exp (expiration), and iat (issued at). Add aud (audience) when the token targets a specific consumer so it cannot be replayed against a different API.