Is this a real, valid JWT?

The structure is real: the header and payload are genuine JSON encoded with proper URL-safe base64url and no padding. The signature, however, is random bytes, so the token will fail cryptographic verification by design.

Why is the signature random?

A valid signature requires a secret or private key you control. Since the goal is testing how your code reads a token rather than trusting it, the tool fills the signature segment with correctly sized random base64url instead of signing.

What claims are included?

The payload includes sub, name, iat, nbf, exp, jti, iss, and aud. The iat and nbf are set to now and exp is now plus your chosen minutes, so you can test both valid and expired tokens.

How do I make an already-expired token?

Set the expiry to a small value and wait, or note that exp is computed from the current time. For immediate expiry testing, generate with a 1-minute window and let it lapse, then check your handler rejects it.

Does anything leave my browser?

No. Encoding uses the browser's built-in base64 and crypto functions, so tokens are generated locally and nothing is transmitted.

JWT-Format Token Generator

The JWT-Format Token Generator builds tokens in the exact three-part shape of a JSON Web Token — header.payload.signature, each segment base64url-encoded and joined by dots. It is meant for testing how your application parses, displays, and reacts to tokens, not for issuing real credentials.

How it works

A JWT has three segments. This tool builds them like this:

Header — a small JSON object such as {"alg":"HS256","typ":"JWT"}, encoded with URL-safe base64 (the + and / characters become - and _, and trailing = padding is stripped).
Payload — a claims object with sub, name, iat, nbf, exp, jti, iss, and aud. The exp claim is set to the current time plus your chosen minutes.
Signature — random bytes sized to match the algorithm (32 for HS256, 48 for HS384, 64 for HS512), then base64url-encoded.

Because the signature is random rather than computed from a secret, the token is structurally valid but cryptographically invalid.

Tips and notes

The decoded header and payload are shown below the token so you can confirm exactly what your parser will see.
Use the generated token as a Bearer value to test that your client stores, decodes, and renders claims correctly.
To exercise expiry handling, generate with a short window and verify your code rejects the token once exp passes.
This is never a substitute for a real signed token in production — anything checking the signature will and should reject it.