T
DataToolings

JWT Key Generator

Generate RS256, RS384, RS512, ES256, ES384, or ES512 key pairs for JWT signing. Export PEM and JWK formats instantly in your browser.

Algorithm

RSA PKCS#1 v1.5, 2048-bit modulus, SHA-256

What Is JWT Key Generator?

JWT Key Generator creates asymmetric key pairs for signing JSON Web Tokens using RSA (RS256/RS384/RS512) or Elliptic Curve (ES256/ES384/ES512) algorithms. Keys are generated using the browser's Web Crypto API — nothing is ever sent to a server. Export keys in PEM or JWK format ready to paste into your application.

How to Use

  1. Select an algorithm — RS256 or ES256 are most common
  2. Click Generate Key Pair and wait a moment (RSA 4096 takes a few seconds)
  3. Copy the private key PEM for your auth server signing config
  4. Copy the public key PEM or JWK for your API / resource server verification
  5. Use the JWK output to build a JWKS endpoint (e.g., /.well-known/jwks.json)

Features

  • RSA: RS256 (2048-bit), RS384 (3072-bit), RS512 (4096-bit)
  • EC: ES256 (P-256), ES384 (P-384), ES512 (P-521)
  • Exports PEM (PKCS#8 private, SPKI public) and JWK formats
  • JWK output includes alg and use: "sig" for JWKS endpoints
  • Uses browser Web Crypto API — keys are generated and stay in your browser

Frequently Asked Questions

Which algorithm should I choose?

ES256 (P-256) is a good default — smaller keys, fast verification, and widely supported. RS256 is more universally compatible with older libraries. Use RS512 or ES512 only if your security policy requires it.

How do I use the JWK output?

Wrap the public JWK in a keys array and serve it at /.well-known/jwks.json. Resource servers can fetch this URL to verify tokens without sharing the private key.

Is it safe to generate keys in the browser?

Yes — the Web Crypto API generates cryptographically secure keys using OS-level entropy. No key material leaves the browser. For production, treat any generated private key as sensitive and store it securely (e.g., HashiCorp Vault, AWS Secrets Manager).

What is the difference between PEM and JWK?

PEM is the classic Base64-encoded DER format used by OpenSSL and most server frameworks. JWK (JSON Web Key) is the JSON representation preferred by OIDC providers and JWKS endpoints.