Jwt Encode

189 installs5 stars

Summary

This does one thing well: it generates signed JWTs from the command line without you needing to spin up a test server or paste secrets into some random website. It picks the best available toolchain (Node's jose library, Python's PyJWT, or raw OpenSSL for HMAC), handles the boilerplate around iat and exp claims, and crucially keeps secrets out of your shell history by using inline environment variables. The security guardrails are sensible, it warns you about unsigned tokens, and it'll generate test RSA or ECDSA keys if you need asymmetric signing. Handy for local development, integration tests, or debugging auth flows when you need a valid token right now.

Install to Claude Code

npx -y skills add jsonwebtoken/jwt-skills --skill jwt-encode --agent claude-code

Installs into .claude/skills of the current project.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Files

SKILL.mdView on GitHub

JWT Encode

Create and sign JWTs for testing and development.

Steps

Gather inputs: claims/payload, algorithm (default: HS256), secret or key, expiration (default: 1 hour).
Build header: {"alg": "HS256", "typ": "JWT"}. Add kid if provided.
Build payload: Always include iat and exp unless the user opts out. Add user-specified claims.
Sign the token using the best available method (see below).
Display the result: the full JWT string and a decoded breakdown of header + payload.

Signing Methods

Pick the first available. Use the user's claims, secret, and algorithm — the examples below are templates only. Always pass the secret via an inline env var to avoid shell history exposure.

Node.js (preferred):

First, ensure jose is available — install it globally if missing:

node --input-type=module -e "await import('jose')" 2>/dev/null || npm install -g jose

Then sign the token:

JWT_SECRET='user-provided-secret' node --input-type=module -e "import {SignJWT} from 'jose'; console.log(await new SignJWT({sub:'1234567890'}).setProtectedHeader({alg:'HS256'}).setIssuedAt().setExpirationTime('1h').sign(new TextEncoder().encode(process.env.JWT_SECRET)))"

Python:

JWT_SECRET='user-provided-secret' python3 -c "import jwt,time; print(jwt.encode({'sub':'1234567890','iat':int(time.time()),'exp':int(time.time())+3600}, __import__('os').environ['JWT_SECRET'], algorithm='HS256'))"

Bash (HMAC-SHA256 only):

header=$(printf '{"alg":"HS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
payload=$(printf '{"sub":"1234567890","iat":1700000000,"exp":1700003600}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
signature=$(printf '%s.%s' "$header" "$payload" | openssl dgst -sha256 -hmac "$JWT_SECRET" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=')
printf '%s.%s.%s\n' "$header" "$payload" "$signature"

Generating Test Keys

Only when the user needs asymmetric keys:

# RSA
openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -pubout -out public.pem
# ECDSA P-256
openssl ecparam -genkey -name prime256v1 -noout -out private-ec.pem && openssl ec -in private-ec.pem -pubout -out public-ec.pem

Security Rules

Never pass secrets as literal command-line arguments. Use environment variables ($JWT_SECRET) or file input (--secret-file). Command args are visible in shell history and ps output.
Never install packages without user consent. Do not use npx -y or pip install silently.
If the user doesn't provide a secret, generate a random one with openssl rand -base64 32 and clearly label it as a test-only secret.
alg: none — If the user requests it, warn that this creates an unsigned token exploitable via CVE-2015-9235. Only create it after explicit confirmation.
Generated key files — Remind the user to delete test keys when done. Never write keys to version-controlled directories.

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

First SeenJun 3, 2026

View on GitHub

Steps

Gather inputs: claims/payload, algorithm (default: HS256), secret or key, expiration (default: 1 hour).

Build header: {"alg": "HS256", "typ": "JWT"}. Add kid if provided.

Build payload: Always include iat and exp unless the user opts out. Add user-specified claims.

Sign the token using the best available method (see below).

Display the result: the full JWT string and a decoded breakdown of header + payload.

Signing Methods

Pick the first available. Use the user's claims, secret, and algorithm — the examples below are templates only. Always pass the secret via an inline env var to avoid shell history exposure.

Node.js (preferred):

First, ensure jose is available — install it globally if missing:

node --input-type=module -e "await import('jose')" 2>/dev/null || npm install -g jose

Then sign the token:

JWT_SECRET='user-provided-secret' node --input-type=module -e "import {SignJWT} from 'jose'; console.log(await new SignJWT({sub:'1234567890'}).setProtectedHeader({alg:'HS256'}).setIssuedAt().setExpirationTime('1h').sign(new TextEncoder().encode(process.env.JWT_SECRET)))"

Python:

JWT_SECRET='user-provided-secret' python3 -c "import jwt,time; print(jwt.encode({'sub':'1234567890','iat':int(time.time()),'exp':int(time.time())+3600}, __import__('os').environ['JWT_SECRET'], algorithm='HS256'))"

Bash (HMAC-SHA256 only):

header=$(printf '{"alg":"HS256","typ":"JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=') payload=$(printf '{"sub":"1234567890","iat":1700000000,"exp":1700003600}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=') signature=$(printf '%s.%s' "$header" "$payload" | openssl dgst -sha256 -hmac "$JWT_SECRET" -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=') printf '%s.%s.%s\n' "$header" "$payload" "$signature"

# RSA openssl genrsa -out private.pem 2048 && openssl rsa -in private.pem -pubout -out public.pem # ECDSA P-256 openssl ecparam -genkey -name prime256v1 -noout -out private-ec.pem && openssl ec -in private-ec.pem -pubout -out public-ec.pem

Security Rules

Never pass secrets as literal command-line arguments. Use environment variables ($JWT_SECRET) or file input (--secret-file). Command args are visible in shell history and ps output.

Never install packages without user consent. Do not use npx -y or pip install silently.

If the user doesn't provide a secret, generate a random one with openssl rand -base64 32 and clearly label it as a test-only secret.

alg: none — If the user requests it, warn that this creates an unsigned token exploitable via CVE-2015-9235. Only create it after explicit confirmation.

Generated key files — Remind the user to delete test keys when done. Never write keys to version-controlled directories.

Jwt Encode

Install to Claude Code

JWT Encode

Steps

Signing Methods

Generating Test Keys

Security Rules

Jwt Encode

Install to Claude Code

JWT Encode

Steps

Signing Methods

Generating Test Keys

Security Rules

Recommended

Recommended