JWT: Verify Signature Secret Format.

I am trying to create a JWT. I am following the format provided here: https://jwt.io/

Under VERIFY SIGNATURE there is a property called secret

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret    
)

How do I create that secret in code? Can it be any string or it has to be a certain format?

Solution

The secret can be anything: when it is a string you can paste it verbatim in the "secret" entry, when it is a binary secret (a sequence of bytes) you should first base64-encode it, paste it in the "secret" box and tick the "secret base64 encoded" button.

Note that jwt.io can verify an existing JWT against a provided key, it cannot generate JWTs and sign them.

Facebook graph api returns 400 bad request with correct access token
How do I add audience validation using Spring OAuth without needing the issuer?
How to make Depends optional in FastAPI?
Getting refresh token for gmail API with Spring Security
Creating firebase user with authentication information from Salesforce
Where to store the refresh token on the Client?
AuthorizedClientServiceOAuth2AuthorizedClientManager: accessToken cannot be null
Ruby & IMAP - Accessing Office 365 with Oauth 2.0
3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
Swift Discord OAuth2 redirect URi not supported by Client
Apim policy to validat token for b2b and as well as b2c tenant token endpoints
Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
Google APIs Console - missing client secret
Automating access token refreshing via interceptors in axios
Supabase does not append code parameter to the redirect URL after OAuth login
How/why is login page redirect required?
Where can I find a list of scopes for Google's OAuth 2.0 API?
Using ASP.Net Core Identity in parallel with OpenIdConnect OAuth2
Spring security JWT without OAuth
Add OAuth authentication for HTTP request triggers
Get email, phone, etc from OAuth2 login
BFF pattern for native apps in OAuth 2.0?
Why is PKCE `code_verifier` calculated server-side in BFF pattern?
Apache strips down "Authorization" header
Fake Firebase Auth Tokens for Test Environment
Access Not Configured for Google OAUTH Login
Authenticating to Microsoft 365 SMTP servers via OAuth2 only works for users without MFA
Getting user data through an Azure AD OAuth login - React Native Expo App
Callback github URI with Oauth2 and Spring Boot 3.4.0 not found after authentication
spring oauth client (v6.4.2): does not redirect to oauth-server