How to Create and Sign a JWT

June 11, 2026·5 min read

Creating a JWT means building two JSON objects, encoding them, and signing the result. Here's the full process.

Step 1: Build the header

{ "alg": "HS256", "typ": "JWT" }

Step 2: Build the payload (claims)

Include whatever your app needs, plus standard claims like iat (issued at) and exp (expiry):

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Step 3: Encode and sign

Base64url-encode the header and payload, join with a dot, and sign:

const data = base64url(header) + '.' + base64url(payload);
const signature = HMAC_SHA256(data, secret);   // base64url
const jwt = data + '.' + signature;

The result is your token: header.payload.signature.

Choosing an algorithm

  • HS256 — one shared secret. Simple, great for a single service.
  • RS256 — private key signs, public key verifies. Better when multiple parties need to verify but not sign.

Security tips

  • Use a long, random secret (32+ bytes for HS256).
  • Always set an exp so tokens don't live forever.
  • Never put sensitive data in the payload — it's readable by anyone.

Generate one instantly

The JWT generator builds and signs a token from your claims and secret, with one-click iat and exp helpers. Then confirm it with the JWT validator.

Got a config file to check?

Open the config toolkit →

Keep reading

Base64 URL-Safe Encoding Explained4 min read →Common Regex Patterns: Email, URL, Phone & More5 min read →