JWT Secret Key Generator — HS256 / HS512
Generate a cryptographically secure secret key for signing JSON Web Tokens (JWTs). Whether you need an HS256, HS384, or HS512 secret, get a properly-sized random key instantly — ready to paste into your .env file.
Tips
Key size requirements by algorithm
HS256 requires a minimum 32-byte (256-bit) secret. HS384 needs 48 bytes. HS512 needs 64 bytes. Always use at least the minimum — longer is better.
Use base64 encoding for secrets
JWT libraries typically accept secrets as UTF-8 strings or base64-encoded bytes. A 64-character base64 string gives 48 bytes of entropy — suitable for HS256.
Different secrets per environment
Use separate JWT secrets for development, staging, and production. A leaked development secret should never compromise production tokens.
Store in environment variables
Set your JWT secret as JWT_SECRET in your .env file. Never hardcode it in your application source code or configuration files committed to git.
Secret Key Generator
SecurityGenerate secure random keys, API tokens, or passwords.
About this tool
What is the Secret Key Generator?
The Secret Key Generator creates cryptographically random keys, passwords, API tokens, and secrets using your browser's built-in cryptographic random number generator. Choose the length, select which character sets to include, and generate as many keys as you need — instantly, with nothing sent to any server.
How to Use the Generator
- Set the length. Use the slider or input to choose how many characters your key should be.
- Select character sets. Toggle which types of characters to include:
- Uppercase letters (A–Z)
- Lowercase letters (a–z)
- Numbers (0–9)
- Symbols (
!@#$%^&*etc.)
- Generate. A new random key is created immediately. Click Generate again for a different key.
- Copy. Click the Copy button to put the key on your clipboard.
Why Cryptographic Randomness Matters
Not all random is equal. A standard Math.random() call in JavaScript uses a pseudorandom number generator (PRNG) — its output is deterministic and predictable given its seed. Cryptographic randomness (crypto.getRandomValues()) uses entropy from the operating system — hardware events, timing variations, and other unpredictable sources — producing output that is computationally infeasible to predict.
This tool exclusively uses crypto.getRandomValues(). For passwords, API keys, session tokens, and anything that needs to be genuinely secret, this is the correct approach.
Recommended Key Lengths by Use Case
| Use case | Recommended length | Notes |
|---|---|---|
| Website passwords | 16–20 characters | Use a password manager to store |
| API keys | 32–64 characters | Alphanumeric or hex format |
| JWT secrets (HS256) | 32+ characters | Minimum 256 bits of entropy |
| JWT secrets (HS512) | 64+ characters | Minimum 512 bits of entropy |
| Session tokens | 32 characters | Random, not predictable |
| Encryption keys | 32 or 64 characters | Match key size to algorithm |
| CSRF tokens | 16–32 characters | Single-use per form |
Character Set Considerations
Alphanumeric only (A–Z, a–z, 0–9) — URL-safe, compatible with most APIs and systems that don't accept special characters. Slightly lower entropy per character than full character sets.
Including symbols — increases entropy per character, producing stronger keys at the same length. Some systems restrict which symbols are valid; check before using.
Hex (0–9, a–f) — commonly used for API keys and cryptographic keys because hex encodes cleanly without special characters. A 64-character hex string represents 32 bytes (256 bits) of entropy.
Base64 — encodes 6 bits per character, more compact than hex. Used in JWTs, encoded credentials, and some API authentication schemes.
Privacy
Key generation happens entirely in your browser using the Web Crypto API. No keys, settings, or usage data are sent to any server or stored anywhere. Close the tab and the generated keys are gone.
Discussion
Join the discussion
Sign in to share your thoughts and engage with the community.