JWS Generator Online – Generate Keys & Sign Payloads

By Anish Nath - Security Engineer & Cryptography Expert | @anish2good | Last Updated: January 2025
Privacy-First No Data Stored 100% Free
Select JWS Algorithm

Choose the signing algorithm for your JWS:

HMAC (Symmetric)

Shared secret key - best for internal services

RSA PKCS#1

Public/private key pair - widely compatible

RSA PSS

Modern RSA - recommended for new applications

ECDSA (Elliptic Curve)

Smaller signatures - fast & modern

JSON Payload

Enter the JSON claims to sign:

Common claims: sub (subject), name, iat (issued at), exp (expiration)
Generated JWS Output

Your generated JWS will appear here

Select an algorithm and click "Generate JWS Keys & Sign"

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

Understanding JSON Web Signatures (JWS)

A JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs), as defined in RFC 7515. JWS is the foundation of JWT (JSON Web Tokens), providing integrity protection and authentication for JSON payloads in modern web applications, APIs, and security protocols like OAuth 2.0 and OpenID Connect.

Key Benefits:
  • Data Integrity: Ensures payload hasn't been tampered with during transmission
  • Authentication: Verifies the identity of the signer
  • Compact Format: Base64URL-encoded header.payload.signature structure
  • Flexible Algorithms: Supports HMAC (symmetric) and RSA/ECDSA (asymmetric) signatures
JWS Compact Serialization Structure

A JWS token in compact serialization consists of three Base64URL-encoded parts separated by dots (.):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFuaXNoIE5hdGgiLCJpYXQiOjE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header

Contains metadata about the token: algorithm (alg), token type (typ), and optionally key ID (kid).

Payload

Contains the claims (data) being signed. Can include standard claims like sub, iat, exp and custom claims.

Signature

Cryptographic signature over the header and payload. Ensures integrity and authenticity of the token.

JWS Header Fields (JOSE Header)
Field Name Required Description
alg Algorithm Required Cryptographic algorithm used (e.g., HS256, RS256, ES256)
typ Type Optional Media type of the token, typically "JWT" for JSON Web Tokens
kid Key ID Optional Hint indicating which key was used to sign. Useful for key rotation
jku JWK Set URL Optional URL to a JWK Set containing the public key for verification
x5u X.509 URL Optional URL to X.509 certificate chain for the signing key
x5c X.509 Chain Optional X.509 certificate chain (Base64-encoded DER certificates)
crit Critical Optional List of header parameters that MUST be understood by the receiver
Common JWT Payload Claims

When using JWS for JWT tokens, the payload typically contains these registered claims (defined in RFC 7519):

Claim Name Description Example
iss Issuer Who issued the token (URL or string identifier) "https://auth.example.com"
sub Subject The principal that is the subject of the JWT (user ID) "user123"
aud Audience Recipients the JWT is intended for (string or array) "https://api.example.com"
exp Expiration Time Unix timestamp after which the JWT is invalid 1735689600
nbf Not Before Unix timestamp before which the JWT is not valid 1704067200
iat Issued At Unix timestamp when the JWT was issued 1704067200
jti JWT ID Unique identifier for the token (prevents replay attacks) "abc123-def456"
Algorithm Comparison & Selection Guide
Algorithm Type Key Size Signature Size Best For
HS256 HMAC (Symmetric) 256-bit secret 32 bytes Internal services, microservices
HS384/HS512 HMAC (Symmetric) 384/512-bit secret 48/64 bytes Higher security internal use
RS256 RSA PKCS#1 2048+ bit key pair 256 bytes Legacy systems, wide compatibility
PS256 RSA PSS 2048+ bit key pair 256 bytes Modern RSA (recommended over RS256)
ES256 ECDSA P-256 256-bit key pair 64 bytes Mobile, IoT, high performance
ES384/ES512 ECDSA P-384/P-521 384/521-bit key pair 96/132 bytes High security requirements
Use HMAC (HS256/384/512) When:
  • Both parties can securely share a secret key
  • Internal microservices communication
  • Single-server applications
  • Performance is critical (fastest algorithm)
  • Token issuer and verifier are the same entity
Use RSA/ECDSA When:
  • Third parties need to verify tokens (public key distribution)
  • Public-facing APIs and OAuth providers
  • Distributed systems with multiple verifiers
  • Verifier shouldn't have signing capability
  • Regulatory compliance requires asymmetric crypto
JWS Security Best Practices
  • Never use alg: none - This disables signature verification entirely
  • Always validate the alg header - Whitelist expected algorithms to prevent algorithm confusion attacks
  • Use appropriate key sizes - RSA: 2048+ bits, ECDSA: P-256 or higher, HMAC: 256+ bits
  • Set expiration (exp) - Tokens should have a reasonable lifetime
  • Validate all claims - Check iss, aud, exp, nbf on verification
  • Use HTTPS only - Never transmit JWS tokens over unencrypted connections
  • Rotate keys regularly - Implement key rotation and use kid header
  • Keep private keys/secrets secure - Use HSMs or secret management systems in production
Supported JWS Algorithms
HMAC (Symmetric)
  • HS256 - HMAC with SHA-256, requires 256+ bit secret
  • HS384 - HMAC with SHA-384, requires 384+ bit secret
  • HS512 - HMAC with SHA-512, requires 512+ bit secret
RSA PKCS#1 (Asymmetric)
  • RS256 - RSA PKCS#1 v1.5 signature with SHA-256
  • RS384 - RSA PKCS#1 v1.5 signature with SHA-384
  • RS512 - RSA PKCS#1 v1.5 signature with SHA-512
RSA PSS (Modern RSA)
  • PS256 - RSA PSS signature with SHA-256
  • PS384 - RSA PSS signature with SHA-384
  • PS512 - RSA PSS signature with SHA-512
ECDSA (Elliptic Curve)
  • ES256 - ECDSA P-256 curve with SHA-256
  • ES384 - ECDSA P-384 curve with SHA-384
  • ES512 - ECDSA P-521 curve with SHA-512

About This Tool & Author

Expert-Maintained Cryptography Tool

This JWS generator is developed and maintained by Anish Nath ( @anish2good), a Security Engineer and Cryptography Expert with extensive experience in network security and cryptographic implementations. The tool has been serving the developer and DevOps community since 2020, providing reliable JWS generation for testing and development.

Security & Privacy Commitment

  • No Data Collection: Your keys and payloads are processed only in your browser. Nothing is stored on our servers.
  • Industry Standards: Uses proven cryptographic libraries implementing RFC 7515 (JWS) and RFC 7519 (JWT) standards.
  • Regular Updates: Tool is actively maintained with security best practices and algorithm support updated regularly.
  • Open Source Standards: Compatible with JWT, OAuth 2.0, OpenID Connect, and all major cryptographic implementations.

Related JWS/JWT Tools

Official Resources

Learn more about JWS and JWT standards:

Community

Over 500,000 developers use 8gwifi.org tools monthly

Follow @anish2good on X

Trust Signals
  • 5+ years of service
  • 12 JWS algorithms
  • Active maintenance
  • Privacy-first approach
Quick Access