SD-JWT generator

Issue a demo RFC 9901 SD-JWT: your claims, your choice of what's selectively disclosable, signed with a fresh throwaway ES256 key. Then take it apart in the debugger.

Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.

What you get

The claims you mark disclosable leave the signed payload — only their salted digests stay in _sd; the values travel as separate disclosures after the ~ separators. The response includes the issuer's public key (PEM and JWK) so you can verify the token — in the SD-JWT debugger or in code — and the private key so nothing about the demo is hidden. The keys are generated per request and never stored; don't reuse them for anything real.

Do it in PHP

use K2gl\SdJwt\Jws\JwsSigner;
use K2gl\SdJwt\Sd;
use K2gl\SdJwt\SdJwtIssuer;

$sdJwt = new SdJwtIssuer(JwsSigner::es256FromPem($issuerPrivatePem))->issue([
    'iss' => 'https://issuer.example.com',
    'sub' => 'user_42',
    'given_name' => Sd::hide('John'),   // selectively disclosable
    'family_name' => Sd::hide('Doe'),
]);

echo $sdJwt->toCompact();

Powered by k2gl/sd-jwt; for issuing verifiable credentials (dc+sd-jwt) on top, see k2gl/sd-jwt-vc.