JWT Secret Security Guide
JSON Web Tokens (JWTs) are heavily reliant on the secrecy and entropy (randomness) of their signing keys. A weak secret can be easily brute-forced, allowing attackers to forge tokens and impersonate any user in your system.
Why Client-Side Generation?
Our JWT Secret Generator runs 100% inside your browser.
When you click generate, we use the window.crypto.getRandomValues() API to pull cryptographically secure random bytes directly from your operating system's entropy pool.
No secrets are ever sent to our servers.
Choosing the Right Length
The minimum secure length for an HMAC secret depends on the algorithm:
If your secret is shorter than the hash output, the cryptographic strength of the signature is reduced to the strength of your secret. We recommend 64 bytes (512-bit) as a safe default for all HS algorithms.
Asymmetric Keys (RS256 / ES256)
If you are using asymmetric algorithms (like RS256), a simple string secret is not enough. You must generate a public/private key pair (e.g., using ssh-keygen or openssl). The private key is used to sign the token, and the public key is distributed to services that need to verify the token.