JWT Secret Generator

Generate cryptographically secure secrets for JWT signing. These random keys can be used with HS256, HS384, and HS512 algorithms.

Security Best Practices:

Use at least 256-bit keys for production
Store secrets securely (environment variables, key vaults)
Never commit secrets to version control
Rotate keys regularly

Base64 URL-Safe Secrets

256-bit (HS256)0 characters

384-bit (HS384)0 characters

512-bit (HS512)0 characters

Hexadecimal Secrets

256-bit (HS256)0 characters

384-bit (HS384)0 characters

512-bit (HS512)0 characters

How to Use These Secrets

Node.js with jsonwebtoken:

const jwt = require('jsonwebtoken');
const secret = process.env.JWT_SECRET;
const token = jwt.sign({ userId: 123 }, secret, { algorithm: 'HS256' });

Python with PyJWT:

import jwt
import os

secret = os.environ.get('JWT_SECRET')
token = jwt.encode({'user_id': 123}, secret, algorithm='HS256')

Environment Variable (.env):

JWT_SECRET=your_generated_secret_here

Frequently Asked Questions

What key size should I use for JWT signing?

For HS256 (HMAC with SHA-256), use at least 256-bit (32-byte) keys. For HS384, use 384-bit keys minimum. For HS512, use 512-bit keys. Longer keys provide better security. In production, always use 256-bit or longer keys generated with cryptographically secure random number generators like this tool to ensure strong JWT signature security.

What is the difference between Base64 URL-safe and Hexadecimal secrets?

Base64 URL-safe encoding uses A-Z, a-z, 0-9, -, and _ characters, making secrets compact and web-friendly for JWTs and URLs. Hexadecimal uses 0-9 and a-f, creating longer strings but compatible with more systems. Both are cryptographically equivalent for the same bit length. Most JWT libraries accept either format.

How should I store JWT secrets securely in my application?

Never hardcode secrets in source code. Use environment variables (process.env.JWT_SECRET), secure key management services (AWS KMS, Azure Key Vault, HashiCorp Vault), or encrypted configuration files. Never commit secrets to version control. Rotate keys regularly and use different secrets for development, staging, and production environments.

Can I use the same secret for multiple applications?

No! Each application should use unique JWT secrets for security isolation. If one application is compromised, attackers can't forge tokens for other applications. Use separate secrets for different environments (dev, staging, production) and different services. This principle of least privilege limits security breach impact.

How often should I rotate my JWT signing keys?

Rotate JWT secrets every 3-6 months as a security best practice. Implement key rotation without downtime by supporting multiple valid keys simultaneously during transition periods. When rotating, generate new tokens with the new key while still accepting tokens signed with the old key for a grace period. Automated key rotation enhances security.

Are these generated secrets truly random and secure?

Yes! This tool uses crypto.getRandomValues(), which is a cryptographically secure pseudorandom number generator (CSPRNG) provided by modern browsers. It generates unpredictable, uniformly distributed random values suitable for security-sensitive applications like JWT secret generation. The secrets are generated entirely client-side for maximum security.