Application

JWT (HS256)

A JSON Web Token signed with HMAC-SHA-256. The three dot-separated parts (header, payload, signature) are base64url-encoded. Edit the JSON or the secret and watch the signature change in real time.

Header (JSON)

Payload (JSON)

HMAC secret

For HS256, any string is fine; 32+ bytes is recommended.

Signed JWT

…

How HS256 works

Encode header as JSON, then base64url.
Encode payload as JSON, then base64url.
Compute HMAC-SHA-256(secret, header + "." + payload).
Base64url-encode the HMAC tag.
Token = header.payload.signature.