JWT Secret Generator

Generate high-entropy keys for JSON Web Tokens securely.

Length of the random byte array before encoding. Minimum 32 bytes (256-bit) recommended.

Generated Secret

Your Secure Secret

Generated locally using Web Crypto API. Never sent over the network.

JWT Secret Security Guide

JSON Web Tokens (JWTs) are heavily reliant on the secrecy and entropy (randomness) of their signing keys. A weak secret can be easily brute-forced, allowing attackers to forge tokens and impersonate any user in your system.

Why Client-Side Generation?

Our JWT Secret Generator runs 100% inside your browser.

When you click generate, we use the window.crypto.getRandomValues() API to pull cryptographically secure random bytes directly from your operating system's entropy pool.

No secrets are ever sent to our servers.

Choosing the Right Length

The minimum secure length for an HMAC secret depends on the algorithm:

  • HS256: Requires at least a 256-bit secret (32 bytes).
  • HS384: Requires at least a 384-bit secret (48 bytes).
  • HS512: Requires at least a 512-bit secret (64 bytes).
  • If your secret is shorter than the hash output, the cryptographic strength of the signature is reduced to the strength of your secret. We recommend 64 bytes (512-bit) as a safe default for all HS algorithms.

    Asymmetric Keys (RS256 / ES256)

    If you are using asymmetric algorithms (like RS256), a simple string secret is not enough. You must generate a public/private key pair (e.g., using ssh-keygen or openssl). The private key is used to sign the token, and the public key is distributed to services that need to verify the token.