JWT Secret Generator
Generate cryptographically secure random keys using crypto.getRandomValues(). Supports 32 to 512 bits of entropy.
Generated using crypto.getRandomValues(). No data leaves your browser.
How to Use This Tool
Select your desired key length using the presets (128-bit for testing, 256-bit for standard production use, 512-bit for high-security environments) or drag the slider to a custom bit length.
Click "Generate" to produce a cryptographically secure random key using your browser's Web Crypto API. The key is displayed as a hex-encoded string. Click the eye icon to toggle visibility, or the copy button to copy it to your clipboard.
Paste the generated secret into your application's environment variables (e.g., JWT_SECRET=your-key-here). Never hardcode it in source code or commit it to a repository.
Code Examples
const jwt = require('jsonwebtoken');
const secret = 'YOUR_GENERATED_SECRET_HERE';
// Sign a token
const token = jwt.sign(
{ userId: 123, role: 'user' },
secret,
{ algorithm: 'HS256', expiresIn: '1h' }
);
// Verify a token
const payload = jwt.verify(token, secret, { algorithms: ['HS256'] });
console.log(payload); // { userId: 123, role: 'user', iat: ..., exp: ... }Frequently Asked Questions
What is a JWT secret key?
A JWT secret key is a cryptographic value used to sign JSON Web Tokens with HMAC algorithms like HS256, HS384, or HS512. The secret must be kept private — anyone with the secret can forge valid tokens, granting unauthorized access to your application.
How long should my JWT secret be?
Use at least 256 bits (32 bytes) for HS256, and 512 bits (64 bytes) for HS512. Shorter secrets are vulnerable to brute-force attacks. This generator defaults to 256-bit keys for compatibility and 512-bit for high security. Never use a human-readable passphrase as a JWT secret.
Is this generator safe to use?
Yes. All key generation happens entirely in your browser using the Web Crypto API — a native, audited cryptographic API built into all modern browsers. No data is ever sent to any server. You can verify this by opening your browser's developer tools, going to the Network tab, and confirming there are no outbound requests when you generate a key.
Where should I store my JWT secret?
Store it as an environment variable in your deployment environment (e.g., JWT_SECRET=your-key in a .env file, or in your hosting platform's secrets manager). Never hardcode it in source code or commit it to a repository. For production systems, use a dedicated secrets manager like AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager.
Can I use the same JWT secret for multiple environments?
No. Always generate separate, unique secrets for development, staging, and production environments. This limits the blast radius if one environment is compromised — an attacker who obtains your staging secret cannot forge tokens against your production API.