NIXX/DEVv1.14.0
ArticlesFavorites
Sign In
Sign In
50+ Free Tools

Simple Online Tools for Everyday Work

Free, fast, no-signup tools for developers and everyday tasks.

JWT Secret Key Generator — HS256 / HS512

Generate a cryptographically secure secret key for signing JSON Web Tokens (JWTs). Whether you need an HS256, HS384, or HS512 secret, get a properly-sized random key instantly — ready to paste into your .env file.

Tips

  • Key size requirements by algorithm

    HS256 requires a minimum 32-byte (256-bit) secret. HS384 needs 48 bytes. HS512 needs 64 bytes. Always use at least the minimum — longer is better.

  • Use base64 encoding for secrets

    JWT libraries typically accept secrets as UTF-8 strings or base64-encoded bytes. A 64-character base64 string gives 48 bytes of entropy — suitable for HS256.

  • Different secrets per environment

    Use separate JWT secrets for development, staging, and production. A leaked development secret should never compromise production tokens.

  • Store in environment variables

    Set your JWT secret as JWT_SECRET in your .env file. Never hardcode it in your application source code or configuration files committed to git.

Secret Key Generator

Security

Generate secure random keys, API tokens, or passwords.

About this tool

What is the Secret Key Generator?

The Secret Key Generator creates cryptographically random keys, passwords, API tokens, UUIDs, passphrases, and secrets using your browser's built-in Web Crypto API. Choose an output mode, configure the settings, and a new value is generated instantly — nothing is ever sent to a server.

Output Modes

Random string — the classic mode. Set a length and choose which character types to include: uppercase, lowercase, numbers, and symbols. The entropy panel shows exactly how strong the result is in bits, along with a crack time estimate.

UUID — generates a standard UUID in either v4 (fully random, 122 bits of entropy) or v7 (time-ordered, sortable, ideal for database primary keys) format. UUID v7 encodes the current timestamp in the top 48 bits, making generated IDs sortable by creation time — a significant advantage for indexed database columns.

Hex — generates a hexadecimal string from a specified number of random bytes. Every byte produces two hex characters. A 32-byte hex string is 256 bits and suitable for encryption keys, nonces, and HMAC secrets.

Base64url — encodes random bytes as a URL-safe Base64 string with no padding and no + or / characters. This format is used directly in JWTs, OAuth tokens, and HTTP Authorization headers without further encoding.

API key — generates a prefixed key in the style used by Stripe, Anthropic, and other services (sk_live_…, pk_…, api_…). Prefixed keys are easier to identify in logs, easier to rotate per environment, and harder to accidentally commit than bare random strings.

Passphrase — generates a memorable phrase from a wordlist, in the style of the XKCD 936 / EFF recommendation. Configure the number of words, separator, capitalization, and whether to append a number. Passphrases are significantly easier to type and remember than random strings while still providing strong security at five or more words.

How to Use the Generator

  1. Choose a mode. Click one of the six mode tabs at the top.
  2. Adjust the settings. Each mode has its own controls — length, byte count, prefix, word count, separator, and so on. The output updates automatically as you change any setting.
  3. Copy or regenerate. Click the copy icon to copy the output to your clipboard. Click the regenerate icon to generate a new value with the same settings.
  4. Read the entropy panel. Every output shows its strength in bits and an estimated crack time at one billion guesses per second, which is a realistic offline attack rate for a fast hash function.

Why Cryptographic Randomness Matters

Not all randomness is equal. JavaScript's Math.random() uses a deterministic pseudorandom number generator — its output is predictable given the seed, making it completely unsuitable for security-sensitive values.

This tool uses crypto.getRandomValues() exclusively, which draws entropy from the operating system — hardware timing, interrupt noise, and other genuinely unpredictable sources. The output is computationally infeasible to predict or reverse. For any value that needs to be a secret, this is the only acceptable approach.

To further eliminate modulo bias — a subtle flaw where some values appear slightly more often than others when mapping random bytes to a character set — the generator uses rejection sampling: values outside an exact multiple of the charset size are discarded and regenerated.

Understanding the Entropy Panel

Entropy is measured in bits. Each bit doubles the number of possible values an attacker would need to try. The crack time estimates assume an attacker making one billion guesses per second, which is achievable with commodity hardware attacking an unsalted fast hash (MD5, SHA-1). Against a properly salted slow hash (bcrypt, Argon2), crack times would be orders of magnitude longer.

The strength levels used by this tool:

  • Weak — below 64 bits. Avoid for any security use.
  • Fair — 64–95 bits. Acceptable for short-lived tokens; not recommended for long-lived secrets.
  • Strong — 96–127 bits. Good for most applications.
  • Excellent — 128 bits and above. Suitable for encryption keys, JWT secrets, and any high-value secret.

Note: crack time is shown for secrets and passwords. For UUIDs, crack time is not applicable — UUIDs are identifiers, not secrets, and guessing a UUID is not a relevant attack model.

Recommended Settings by Use Case

Use case Mode Settings
Application password Random 20+ chars, all character types
JWT secret (HS256) Base64url 32 bytes (256 bits)
JWT secret (HS512) Base64url 64 bytes (512 bits)
API key API Key. sk_live_ prefix, 32-char body
Database primary key UUID v7 (sortable)
Unique identifier UUID v4 (fully random)
Encryption key Hex 32 bytes (AES-256)
HMAC secret Hex or Base64url 32 bytes minimum
Memorable password Passphrase 5+ words, append number
Session token Random or Hex 32 chars / 16 bytes

Privacy

Key generation happens entirely in your browser using the Web Crypto API. No generated values, settings, or usage data are sent to any server or stored anywhere. Close the tab and the keys are gone.

Discussion

Join the discussion

Sign in to share your thoughts and engage with the community.

Sign In
Loading comments…

Users also viewed

  • CSV Splitter
  • Markdown to HTML Converter
  • AI Text Summarizer
  • Image Cropper
  • State Machine Visualizer
  • HTTP Header Analyzer
🇺🇸USD ACCOUNTOpen a free US-based USD accountReceive & save in USD — powered by ClevaSponsoredInterserver Hosting#1 VALUEAffordable, reliable hosting from $2.50/mo99.9% uptimeSponsored

More Security tools

8

CSV Splitter

Split large CSV files into smaller chunks by row count — fast, free, browser-based.

AI & ProductivitySplit CSV File →

Markdown to HTML Converter

Transform Markdown text into clean HTML format.

Data ConversionConvert Markdown to HTML →

AI Text Summarizer

Instantly generate concise summaries of long texts using AI.

AI & ProductivitySummarize Text →

Image Cropper

New

Crop images with drag handles, fixed aspect ratios, or social media presets. Export as JPEG, PNG, or WebP — free, browser-based.

AI & ProductivityCrop Image →

State Machine Visualizer

Visualize and interact with finite state machines using JSON configuration.

DeveloperVisualize State Machine →

HTTP Header Analyzer

Inspect and analyze HTTP headers of any website.

WebsiteAnalyze Headers →

Image Resizer

New

Resize images by dimensions, percentage, or target file size. Export as JPEG, PNG, or WebP — free, browser-based.

AI & ProductivityResize Image →

Technology Detector

Identify frameworks and technologies used by any website.

DeveloperDetect Technologies →
|Made with · © 2026|TermsPrivacy
AboutBlogContact

Free, open-source tools for developers and creators · Community driven