JWT Builder-- Build JWT Tokens from JSON

Create unsigned JWT tokens from header and payload JSON for testing and development.

JWT Header JSON

JWT Payload JSON

Generated JWT Token

Why Use Our JWT Builder?

Custom Header

Define algorithm, type, and custom header fields in JSON.

Any Claims

Add standard or custom claims to the payload freely.

Proper Format

Generates correctly base64url-encoded JWT structure.

100% Private

All processing happens in your browser. Data never leaves.

One-Click Copy

Copy the generated JWT token to clipboard instantly.

Free Forever

No signup, no limits. Build unlimited JWT tokens free.

Other Encoding Tools

Base64 Encode

Encode text to Base64 format

Base64 Decode

Decode Base64 back to text

Base64 Image

Convert images to Base64 data URIs

URL Encode

Percent-encode text for URLs

URL Decode

Decode percent-encoded URL text

URL Parser

Parse URLs into components

Query Builder

Build URL query strings

HTML Encode

Encode special chars to HTML entities

HTML Decode

Decode HTML entities back to text

JWT Decoder

Decode and inspect JWT tokens

Unicode Escape

Escape/unescape Unicode sequences

Hex Encode

Encode/decode hexadecimal

ROT13

ROT13 cipher encoder/decoder

Complete JWT Builder Guide

JWT token building is the process of creating a JSON Web Token from its component parts: a header JSON object and a payload JSON object. Each part is serialized to a JSON string, base64url-encoded, and joined with dots to form the familiar three-part JWT format. Our builder creates correctly structured tokens for testing and development purposes.

The header defines the token's metadata, most importantly the signing algorithm (alg) and token type (typ). The payload carries the claims - key-value pairs that represent the token's data, including standard registered claims and any custom claims your application requires.

Our tool generates unsigned tokens (with an empty signature segment) because creating valid signatures requires secret keys that should never be handled in client-side code. These unsigned tokens are perfect for understanding JWT structure, prototyping authentication flows, and testing JWT parsing logic.

For production JWT generation, use server-side libraries that handle cryptographic signing: jsonwebtoken for Node.js, PyJWT for Python, java-jwt for Java, or System.IdentityModel.Tokens.Jwt for .NET.

JWT claims are the heart of the token's payload. The specification defines three categories:

Claim	Name	Description
iss	Issuer	Who issued the token (e.g., your auth server URL)
sub	Subject	Who the token is about (usually user ID)
aud	Audience	Intended recipient (e.g., API server)
exp	Expiration	Unix timestamp when token expires
iat	Issued At	Unix timestamp when token was created
nbf	Not Before	Token not valid before this timestamp
jti	JWT ID	Unique identifier to prevent replay attacks

Beyond registered claims, you can add any custom claims for your application: user roles, permissions, tenant IDs, feature flags, or any data your services need. Keep payloads minimal since tokens are sent with every request.

API Prototyping

Build sample tokens to test API endpoints that parse JWT claims. Verify your claim extraction logic handles various payload structures.

Frontend Development

Create test tokens for developing UI components that display user info from JWT claims, like user profile sections and role-based access controls.

Unit Test Fixtures

Generate tokens with specific claim combinations for unit tests. Test expired tokens, missing claims, invalid formats, and edge cases.

Learning JWT Structure

Experiment with different header and payload combinations to understand how JWT encoding works. Decode the output with our JWT Decoder to verify.

Documentation Examples

Create sample tokens for API documentation. Show developers what your tokens look like and which claims they should expect.

Debugging Auth Flows

Compare hand-built tokens with production tokens to identify claim differences. Useful for debugging OAuth/OIDC integration issues.

Keep payloads small: JWTs are sent with every HTTP request. Large payloads increase bandwidth usage. Include only essential claims - look up additional data server-side when needed.
Always include expiration: Every token should have an 'exp' claim. Short-lived tokens (5-15 minutes) for access, longer (7-30 days) for refresh tokens. Never issue tokens without expiration.
Use standard claim names: Stick to registered claim names (iss, sub, aud, exp, nbf, iat, jti) for interoperability. Prefix custom claims to avoid collisions (e.g., 'app_role' instead of 'role').
Never include secrets: Passwords, API keys, credit card numbers, and other secrets must never appear in JWT payloads. Remember: JWT content is readable by anyone with the token.

Well-designed JWT payloads balance information completeness with token size. Include enough claims for authorization decisions while keeping tokens compact for efficient transmission.

What does the JWT Builder do?

It creates an unsigned JWT token from header and payload JSON that you provide. The token has the correct base64url-encoded format with an empty signature segment, suitable for testing and development.

Are the generated tokens signed?

No, this tool creates unsigned tokens (the signature segment is empty). For production use, sign tokens server-side with proper libraries like jsonwebtoken (Node.js), PyJWT (Python), or java-jwt (Java).

Can I use these tokens in production?

Unsigned tokens should not be used in production. They are designed for testing, prototyping, and understanding JWT structure. Production tokens must be cryptographically signed with a secret or private key.

What JSON should I put in the header?

The header typically contains 'alg' (algorithm like HS256, RS256) and 'typ' (token type, usually 'JWT'). You can also include 'kid' (key ID) for key rotation. The algorithm field is required by most JWT libraries.

What claims should I include in the payload?

Standard claims include 'sub' (subject/user ID), 'iss' (issuer), 'aud' (audience), 'exp' (expiration timestamp), 'iat' (issued at), 'nbf' (not before), and 'jti' (unique token ID). Add custom claims as needed.

What format should expiration times use?

JWT timestamps use Unix epoch format (seconds since January 1, 1970). For example, 1735689600 represents January 1, 2025. Use Date.now()/1000 in JavaScript to get the current timestamp.

Is my data secure when building tokens?

Yes, all processing happens locally in your browser. Your header and payload JSON never leave your device, are never transmitted to servers, and are never stored.

How do I decode a JWT token?

Use our JWT Decoder tool to parse any JWT token and view its header, payload, and signature in formatted JSON. It handles all standard JWT formats.

What is base64url encoding?

Base64url is a URL-safe variant of standard base64. It replaces + with -, / with _, and removes trailing = padding. JWT uses base64url to ensure tokens are safe for URLs, headers, and cookies.

Can I build JWTs with custom algorithms?

You can specify any algorithm in the header JSON ('alg' field), but the token won't be cryptographically signed. The algorithm field only indicates which algorithm should be used for verification by the consumer.

What happens if the JSON is invalid?

The builder validates your JSON before encoding. If either the header or payload contains invalid JSON, you'll see an error message explaining the parsing issue.

Why is the signature segment empty?

Creating a valid signature requires a secret key (for HMAC) or private key (for RSA/ECDSA), which should never be handled in client-side browser code. The empty signature indicates an unsigned token.

JWT Builder Tool

Why Use Our JWT Builder?

Other Encoding Tools

Complete JWT Builder Guide