HS256 is HMAC with SHA-256 - a symmetric signing algorithm where the same secret both signs and verifies the token. It is the simplest and most common JWT algorithm. The alternative, RS256, uses a public/private key pair (asymmetric), which is better when many parties need to verify but only one should sign. This tool generates HS256 tokens, which is what most apps use for their own sessions.

Is this safe for production tokens?

Use it for testing and debugging, not for minting real production tokens. It runs entirely in your browser, but you should not paste a live signing secret into any web tool. For real tokens, sign on your server with a secret kept in a secret store - and use a strong, random secret, since a weak HS256 secret can be brute-forced offline from any token you issue.

How do I read a token back?

Use a JWT inspector to decode the header and claims and check the signature and expiry. Generating and inspecting are the two halves of working with JWTs - create one here to test your auth flow, then decode it to confirm the claims are what you expect.

Free tool · Runs in your browser · Nothing uploaded

Generate a signed JWT.

Set the claims and a secret and get a valid HS256-signed JSON Web Token — for testing an auth flow, a fixture, or debugging. Then decode it with our JWT inspector. Everything runs in your browser.

Payload claims (JSON)

Secret (HS256)

Add an expiry (exp) of hours from now, plus iat

Signed token

—

Two halves of the same job

A JWT is just three base64url parts — a header, your claims, and a signature — joined by dots. Generating one means encoding the header and payload, signing them with your secret, and appending the signature; anyone with the secret can then verify it hasn’t been tampered with. Being able to mint a token on demand makes testing an auth flow trivial, and decoding it back confirms your app is reading the claims it should.

The thing that makes the whole scheme work is the secret — and a weak one can be brute-forced offline from a single issued token, forging admin access. Signing on a server with a strong secret kept somewhere controlled, not scattered through configs, is part of the secrets discipline a control plane keeps honest.

Related free tools

Production-ready checkerScore your deploy Deploy error decoderDecode any deploy error CORS config generatorFix CORS the right way DATABASE_URL builderBuild or decode a conn string

All free tools →

Strong secrets, kept in one place.

Infraveil runs your backend on servers you own with signing secrets managed and access audited — so the keys that mint your tokens live in one controlled, inspectable place.

See how it works

Get the auth-security playbook

JWTs, secrets, sessions, and auth done safely for a backend you run yourself. No spam.