JWT sign (RSA / ECDSA)
ClientSign with a PEM private key locally via Web Crypto.
About JWT sign (RSA / ECDSA)
Sign RS256/384/512 or ES256/384/512 JWTs with a PKCS#8 PEM private key in the browser—Web Crypto only. The interactive transform on this page runs in your browser tab—Toolcore does not need your paste for the core operation described above.
How to use this page
Paste or type in the main workspace, run the primary action from the toolbar, then copy or download the result. Use Load example when the page offers it, or URL prefill (?q= / ?qb=) so agents and tickets open the same input.
Limits and safety
Utilities here are for development and inspection—do not paste live production keys, PANs, or recovery codes into any browser tab you do not control.
Sign with an RSA or ECDSA private key (PKCS#8 PEM). Verify on JWT verify (RSA / ECDSA); HMAC on JWT sign & verify.
PEM private key
?
Paste PKCS#8 (BEGIN PRIVATE KEY). Never share production keys on shared machines.
Header & payload
Nearby workflows on Toolcore
- JWT verify (RSA / ECDSA) — Verify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only. before you trust a token, digest, or key material in production.
- JWT sign & verify — Sign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims. before you trust a token, digest, or key material in production.
- JWT decode — Inspect JWT header and payload as JSON in browser; signature not verified. before you trust a token, digest, or key material in production.
- PEM / X.509 viewer — Decode PEM certificates in the browser—subject, issuer, validity; paste only what you trust. before you trust a token, digest, or key material in production.
Common use cases
- Mint RS256 service tokens for staging when you already have a PEM private key.
- Sign ES256 client assertions for OAuth tests without sending keys to a server.
- Round-trip check signatures on JWT verify (RSA / ECDSA) in the same browser session.
Common mistakes to avoid
Private key on shared machines
Treat PEM like a password—prefer ephemeral keys for demos.
Mismatching alg in header JSON
The selected algorithm must match the key type and header alg field.
FAQ
Which PEM format?
PKCS#8 private keys (BEGIN PRIVATE KEY). RSA and ECDSA curves per algorithm.
Is HMAC supported?
No—use JWT sign & verify for HS256/384/512.
More tools
Related utilities you can open in another tab—mostly client-side.
JWT verify (RSA / ECDSA)
ClientVerify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only.
JWT sign & verify
ClientSign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
PEM / X.509 viewer
ClientDecode PEM certificates in the browser—subject, issuer, validity; paste only what you trust.