Documentation & Learning Resources
Back to Tool

JWT Generator Guide

Creation Tool Updated: May 2024

The JWT Generator allows you to create new JWT tokens from scratch with custom headers, payloads, and signatures. This tool is essential for testing applications, creating proof-of-concept tokens, and understanding JWT construction.

What is JWT Generation?

JWT generation is the process of creating a new JSON Web Token by:

  • Defining the header: Specifying algorithm, type, and other metadata
  • Creating the payload: Adding claims that represent the token's information
  • Generating the signature: Cryptographically signing the token
  • Assembling the token: Combining all parts into a complete JWT
Use Cases: Testing authentication flows, creating demo tokens, prototyping applications, and security research.

How to Use the JWT Generator

Step 1: Navigate to the Tool

Click on the "🔧 JWT Generator" tab in the main JWTAuditor interface.

Step 2: Configure the Header

The header editor comes pre-populated with a default header. You can modify it as needed:

Default Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Common header modifications:

  • Algorithm: Change between HS256, HS384, HS512, RS256, RS384, RS512, or none
  • Key ID: Add a "kid" parameter for key identification
  • Content Type: Add "cty" for nested JWTs
  • Custom parameters: Add application-specific header claims

Step 3: Build the Payload

The payload editor includes a default payload with common claims. You can:

Default Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Adding Standard Claims

Use the claim buttons to quickly add standard JWT claims:

Subject - The user identifier
Issuer - Who issued the token
Audience - Who the token is for
Expiration - When the token expires
Not Before - When the token becomes valid
Issued At - When the token was issued
JWT ID - Unique identifier for the token

Step 4: Configure Signature Options

Choose the signing algorithm and provide the necessary credentials:

none Algorithm

Creates an unsigned token. Useful for testing if applications accept unsigned tokens.

Security Risk: No cryptographic protection

HMAC Algorithms (HS256, HS384, HS512)

Uses a shared secret key for signing. Enter your secret key in the "Secret Key" field.

Example: your-256-bit-secret

RSA Algorithms (RS256, RS384, RS512)

Uses RSA private key for signing. You can:

  • Paste an existing private key
  • Generate a new key pair using the "Generate RSA Key Pair" button

Step 5: Generate RSA Keys (Optional)

For RSA algorithms, you can generate a new key pair:

  1. Select an RSA algorithm (RS256, RS384, or RS512)
  2. Click "Generate RSA Key Pair"
  3. The tool will generate a 2048-bit RSA key pair
  4. The private key will be used for signing
  5. The public key will be displayed for verification purposes

Step 6: Generate the JWT

Click "Generate JWT" to create your token. The tool will:

  • Validate the JSON syntax
  • Update timestamp claims (iat, exp, nbf) if present
  • Generate the appropriate signature
  • Display the complete JWT token

Step 7: Copy and Use

Use the "Copy to Clipboard" button to copy the generated token for use in your applications or testing.

Common Use Cases

1. Testing Authentication Flow

Create tokens with different user roles to test application access control:

Admin User Token

{
  "sub": "admin",
  "name": "Administrator",
  "role": "admin",
  "permissions": ["read", "write", "delete", "admin"],
  "iat": 1516239022,
  "exp": 1516242622
}

Regular User Token

{
  "sub": "user123",
  "name": "John Doe",
  "role": "user",
  "permissions": ["read"],
  "iat": 1516239022,
  "exp": 1516242622
}

2. API Testing

Create tokens for testing API endpoints with different scopes:

API Access Token

{
  "sub": "api-client",
  "aud": "https://api.example.com",
  "scope": "read:users write:users",
  "client_id": "abc123",
  "iat": 1516239022,
  "exp": 1516242622
}

3. Microservices Communication

Generate tokens for service-to-service communication:

Service Token

{
  "sub": "user-service",
  "aud": "order-service",
  "iss": "auth-service",
  "scope": "service:user:read service:order:write",
  "iat": 1516239022,
  "exp": 1516242622
}

4. Security Testing

Create tokens for security testing scenarios:

Privilege Escalation Test

{
  "sub": "user123",
  "name": "John Doe",
  "role": "admin",  // Elevated privilege
  "original_role": "user",
  "privilege_escalation_test": true,
  "iat": 1516239022,
  "exp": 1516242622
}

Advanced Features

Automatic Timestamp Updates

The generator automatically updates timestamp claims when generating tokens:

  • iat (Issued At): Set to current timestamp
  • exp (Expiration): Updated relative to current time
  • nbf (Not Before): Set to current timestamp

Custom Claims

Add any custom claims to the payload by editing the JSON directly:

Custom Claims Example

{
  "sub": "1234567890",
  "name": "John Doe",
  "custom_claim": "custom_value",
  "organization": "Acme Corp",
  "department": "Engineering",
  "security_level": "high",
  "features": ["feature1", "feature2"],
  "metadata": {
    "ip": "192.168.1.1",
    "user_agent": "Mozilla/5.0...",
    "session_id": "abc123"
  }
}

Nested JWTs

Create nested JWTs by setting the content type in the header:

Nested JWT Header

{
  "alg": "HS256",
  "typ": "JWT",
  "cty": "JWT"
}

Key ID (kid) Parameter

Add key identifiers for key management:

Header with Key ID

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "key-2024-01"
}

Best Practices

Security Best Practices

  • Use strong secrets: For HMAC algorithms, use cryptographically secure random secrets
  • Set appropriate expiration: Don't create tokens that live too long
  • Include necessary claims: Add issuer, audience, and other validation claims
  • Use appropriate algorithms: Consider RS256 for production systems
  • Validate inputs: Ensure all claims are properly validated

Testing Best Practices

  • Test different scenarios: Create tokens for various user types and permissions
  • Test edge cases: Create tokens with missing claims, invalid timestamps, etc.
  • Document test cases: Keep track of different token configurations
  • Validate behavior: Ensure your application handles tokens correctly

Development Best Practices

  • Use consistent claim names: Standardize claim names across your application
  • Include version information: Add version claims for token format changes
  • Add debugging information: Include claims that help with debugging
  • Consider token size: Keep tokens reasonably small for performance

Working with RSA Keys

Key Generation

The built-in RSA key generator creates 2048-bit keys suitable for testing:

  • Private key: Used for signing tokens
  • Public key: Used for verification (displayed for reference)
  • Format: PEM format compatible with most systems

External Key Management

You can also use externally generated keys:

Generate keys with OpenSSL

# Generate private key
openssl genrsa -out private.pem 2048

# Extract public key
openssl rsa -in private.pem -pubout -out public.pem

# View key details
openssl rsa -in private.pem -text -noout

Key Security

  • Private key protection: Never share or commit private keys
  • Key rotation: Regularly rotate keys in production
  • Key storage: Use secure key management systems
  • Testing keys: Use separate keys for testing and production

Troubleshooting

Q: I get "Invalid JSON" when generating tokens

A: Check that your header and payload JSON is properly formatted. Use proper quotes around strings and ensure commas are correctly placed.

Q: The generated token doesn't work in my application

A: Verify that you're using the correct algorithm and secret key. Also check that your application expects the claims you've included.

Q: RSA key generation fails

A: Ensure your browser supports the Web Crypto API. Try refreshing the page or using a different browser.

Q: How do I know if my token is valid?

A: Use the Decoder & Analyzer tool to decode and validate your generated token. It will show any issues with the token structure.

Security Considerations

Privacy: All token generation is performed locally in your browser. No tokens, keys, or secrets are transmitted to external servers.
Important: Generated RSA keys are for testing purposes only. For production use, generate keys using secure, offline methods.

Additional security considerations:

  • Don't use generated tokens in production without proper validation
  • Be careful when sharing tokens - they may contain sensitive information
  • Use appropriate key sizes for your security requirements
  • Consider the implications of token expiration and rotation

Integration Examples

Node.js Verification

const jwt = require('jsonwebtoken');

// For HMAC tokens
const secret = 'your-secret-key';
const token = 'your-generated-token';

try {
    const decoded = jwt.verify(token, secret);
    console.log('Token is valid:', decoded);
} catch (err) {
    console.error('Token verification failed:', err.message);
}

Python Verification

import jwt

# For HMAC tokens
secret = 'your-secret-key'
token = 'your-generated-token'

try:
    decoded = jwt.decode(token, secret, algorithms=['HS256'])
    print('Token is valid:', decoded)
except jwt.InvalidTokenError as e:
    print('Token verification failed:', str(e))

curl Testing

# Test with generated token
curl -H "Authorization: Bearer your-generated-token" \
     https://api.example.com/protected-endpoint

Related Tools

Combine the JWT Generator with other JWTAuditor tools for comprehensive JWT workflows:

Decoder & Analyzer

Validate and analyze your generated tokens

JWT Editor

Modify existing tokens or fine-tune generated ones

Secret Bruteforcer

Test token security by attempting to discover secrets