JWT sign & verify
ClientCreate or verify HMAC-signed JSON Web Tokens (HS256, HS384, HS512) in your browser. For read-only claim inspection, use JWT decode.
About JWT sign & verify
Sign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Sign JWT
Header (JSON)
Payload (JSON)
?
The alg field in the signed header is set from your algorithm choice. Secret and JSON never leave this tab.
Nearby workflows on Toolcore
- JWT decode — Inspect JWT header and payload as JSON in browser; signature not verified. before you trust a token, digest, or key material in production.
- JWT verify (RSA / ECDSA) — Verify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only. before you trust a token, digest, or key material in production.
- HMAC (SHA-256 & more) — HMAC-SHA-256/384/512/1 in the browser—hex or Base64 for webhooks, signing, and API docs. before you trust a token, digest, or key material in production.
- OAuth PKCE generator — RFC 7636 code_verifier plus S256 code_challenge (SHA-256, base64url)—Web Crypto in your tab, no upload. before you trust a token, digest, or key material in production.
Common use cases
- Prototype OAuth or API gateways with HS256 test tokens before wiring your auth service.
- Confirm a shared secret still matches a token signature during integration debugging.
- Generate signed JWTs for local Postman or curl flows without installing CLI tools.
Common mistakes to avoid
Using this page for RS256 or ES256
Only HMAC algorithms (HS256/384/512) are supported. Asymmetric keys need your backend or a PEM workflow.
Treating verify as authorization
A valid signature only proves integrity with a secret you already trust—it does not replace issuer, audience, or expiry checks.
Pasting production secrets
Use throwaway secrets in demos. Rotate credentials if a production secret was exposed.
FAQ
Which algorithms are supported?
HS256, HS384, and HS512 using Web Crypto HMAC. The alg field in the signed header matches your selection.
How is this different from JWT decode?
Decode only reads header and payload. This page signs new tokens or verifies that the signature matches your HMAC secret.
Is my secret sent to Toolcore?
No. Signing and verification run entirely in your browser tab.
More tools
Related utilities you can open in another tab—mostly client-side.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
JWT verify (RSA / ECDSA)
ClientVerify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only.
HMAC (SHA-256 & more)
ClientHMAC-SHA-256/384/512/1 in the browser—hex or Base64 for webhooks, signing, and API docs.
OAuth PKCE generator
ClientRFC 7636 code_verifier plus S256 code_challenge (SHA-256, base64url)—Web Crypto in your tab, no upload.