MARKETPLACE
PLUGINS
SIGNED TOKENS TOOLKIT (STT)
Signed Tokens Toolkit (STT) logo

Signed Tokens Toolkit (STT)

Published March 2026
   •    Updated March 2026

Plugin details

Create signed tokens from any text payload using HMAC-SHA256 and Base64URL encoding. Useful for secure URLs, signed requests, temporary download links, and custom verification flows.

The plugin also includes an action to verify tokens generated with this plugin.

Under the hood, the token encoding structure is this (notice the dot in the middle):

text = base64url(your_text)

signed_text = base64url(hmac_sha256(base64url(your_text), your_secret_key))

token = text + "." + signed_text

Which will look something like this (notice the dot in the middle):

"eyJ0IjoiZGlzdCIsIjE3Nzc3Nzc3Nzd9.4x6cP4hE2fD0v8l5sMK28uLmQ"


What is the secret key needed for?

The secret key is needed to generate the HMAC-SHA256 signature and/or verify it (the plugin also includes an action to verify such tokens.).

Keep the secret key value safe and never expose it in client-side workflows or page elements.

Free

For everyone

stars   •   0 ratings
1 installs  
This plugin does not collect or track your personal data.

Other actions

Platform

Web & Native mobile

Contributor details

Lorenzo Suffritti logo
Lorenzo Suffritti
Joined 2019   •   15 Plugins
View contributor profile

Instructions

Pass any text string as input, such as a JSON string or plain text. The plugin encodes the exact input value as Base64URL, signs that encoded payload with HMAC-SHA256 using the plugin secret, and returns a token with this encoding structure under the hood (notice the dot in the middle):

text = base64url(your_text)

signed_text = base64url(hmac_sha256(base64url(your_text), your_secret_key))

token = text + "." + signed_text

Which will look something like this (notice the dot in the middle):

"eyJ0IjoiZGlzdCIsImkiOiIxNzcyMzA4NTc0MjY3eDE4MzUxNDQ1MTU3NjYxOTAwMCIsImUiOjE3Nzc3Nzc3Nzd9.4x6cP4hE2fD0v8l5sM7YjQY9nK2kB1rR6pW3aZ8uLmQ"


What is the secret key needed for?

The secret key is needed to generate the HMAC-SHA256 signature and/or verify it (the plugin also includes an action to verify such tokens.).

Keep the secret key value safe and never expose it in client-side workflows or page elements.

Types

This plugin can be found under the following types:
Action

Categories

This plugin can be found under the following categories:
Technical   •   Compliance   •   Data (things)

Resources

Support contact

Rating and reviews

No reviews yet

This plugin has not received any reviews.
Bubble logo
Product
AI
Mobile
Design
Data
Logic
Collaboration
Security
Status
Release notes
Bubble for
Founders
Developers
Agencies
Enterprise
Discover
How Bubble works
Examples
Pricing
Learn
Academy
Technical guides
Blog
How to build
Coaching
Resources
Connect to AI
Marketplace
Templates
Plugins
Experts
Bootcamps
Certification
Partnerships
Affiliates
Figma to Bubble
Community
Bubble community
Forum
Newsletter
Podcast
Ideaboard
Early access
Store
Company
About
Careers
Brand guidelines
Support
Contact us
Legal
Terms
Privacy
©  2026, Bubble Group, Inc. All rights reserved.
Bubble
Pricing
Enterprise
Contact sales