JWT Secret Generator
Generate cryptographically secure random keys using the Web Crypto API.
All generation happens client-side. No data is sent to any server.
Security Tools
13 tools — all run locally in your browser.
JWT Token Validator
Validate JWT tokens, verify signatures, check expiration, and inspect header and payload claims.
Use NowHash Generator
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly in your browser.
Use NowAPI Key Generator
Generate secure API keys in UUID, hex, alphanumeric, or Base64 format with custom prefixes.
Use NowSecurity Best Practices
Three pillars of JWT secret key security.
Use Strong Keys
Use at least 256-bit cryptographically random secrets. Weak or guessable keys can be brute-forced offline.
Regular Rotation
Rotate JWT secrets periodically using the kid header for zero-downtime key transitions.
Secure Storage
Store secrets in environment variables or a dedicated secrets manager. Never hardcode in source code.
Understanding JWT Secret Keys
Security essentials every developer should know.
What is a JWT secret key?
A cryptographic key used to sign and verify JSON Web Tokens, ensuring their integrity and authenticity.
How long should my JWT secret be?
Minimum 256 bits (32 bytes) for HS256. Use 512 bits for HS512 or high-security environments.
HS256 vs RS256?
HS256 uses a single shared secret. RS256 uses a private/public key pair — better for microservices and third-party verification.
Where should I store JWT secrets?
Use environment variables for simple setups. For production, compare Vault, cloud KMS, and env vars in our storage guides.
What is Base64URL encoding?
A URL-safe variant of Base64 used in JWT header and payload segments. Padding is optional and +/ are replaced.
What is a refresh token?
A long-lived credential used to obtain new access tokens without re-authenticating the user.
