How to Use the JSON Web Key (JWK) Generator

Step 1: Choose an Algorithm

Select one of the nine supported JWT signing algorithms:

RSA algorithms (asymmetric — public/private key pair):

• RS256 — RSA + SHA-256. Most common for JWTs. Well-supported across all platforms and libraries.
• RS384 — RSA + SHA-384. Stronger hash, still RSA.
• RS512 — RSA + SHA-512. Strongest RSA option.

EC algorithms (asymmetric — compact key pair):

• ES256 — ECDSA P-256 + SHA-256. Compact keys, faster than RSA, recommended for modern systems.
• ES384 — ECDSA P-384 + SHA-384.
• ES512 — ECDSA P-521 + SHA-512.

HMAC algorithms (symmetric — shared secret):

• HS256 — HMAC-SHA256. Single secret key used for both signing and verification.
• HS384 — HMAC-SHA384.
• HS512 — HMAC-SHA512.

Step 2: Configure Key Options

RSA Key Size (RSA algorithms only):

• 2048 bits — Recommended. Good security with fast generation.
• 3072 bits — Higher security, slightly slower.
• 4096 bits — Maximum security. May take 5–10 seconds to generate.

Use — Sets the use claim in the JWK:

• sig — Key is intended for signing and verification (most common for JWTs).
• enc — Key is intended for encryption and decryption.

Key ID (kid) — A unique identifier for the key, included in the kid JWK claim. Auto-generated as a random hex string. You can edit it to match your naming convention (e.g., my-key-2024, signing-key-v1). Click the refresh button to generate a new random kid.

Step 3: Generate Keys

Click Generate Keys. For RSA algorithms, generation may take a moment (especially at 4096 bits). For EC and HMAC, generation is near-instant.

Step 4: Use the Output

For RSA and EC algorithms, three tabs are available:

• Public Key — Share this publicly. Used by consumers to verify JWT signatures. Host this in your JWKS endpoint.
• Private Key — Keep this secret. Used by your server to sign JWTs. Store in a secrets manager or environment variable.
• JWKS — A complete { "keys": [...] } JSON object containing the public key. Ready to serve at your /.well-known/jwks.json endpoint.

For HMAC algorithms, two tabs are available:

• Secret Key — The symmetric key. Keep this secret — it is used for both signing and verification.
• JWKS (⚠ symmetric) — The JWKS format of the secret key. Warning: never expose HMAC keys in a public JWKS endpoint.

Click Copy to copy the current tab's content to your clipboard.

Security Notes

• Never commit private keys or HMAC secrets to source control. Store them in environment variables, AWS Secrets Manager, HashiCorp Vault, or similar.
• HMAC keys must stay private. Unlike RSA/EC, anyone with the HMAC key can forge tokens.
• Rotate keys periodically. Use the kid field to support multiple active keys during rotation.
• All keys are generated entirely in your browser using the Web Crypto API. Nothing is transmitted to any server.