JWT Secret Generator
Generate a strong, random signing secret for your JSON Web Tokens, sized for HS256 and ready to drop into your backend configuration.
The secret is generated locally with the Web Crypto API and never touches our servers.
No value yet. Press Regenerate.
This is an estimate based on random generation, not on whether a leaked password has been reused.
Generated locally in your browser. Nothing is sent to our servers, logged or stored.
Why JWT secrets matter
A JWT signed with HMAC (HS256, HS384, HS512) is only as safe as its signing secret. The same secret signs and verifies every token, so a weak or guessable value lets anyone forge tokens and impersonate users.
Use a long, fully random secret, never a dictionary word or a reused password. Keep it on the server, out of source control, and rotate it if it is ever exposed.
Best practices
- For HS256 use at least 32 bytes (256 bits); 64 bytes is a comfortable choice.
- Store the secret in an environment variable or secret manager, never in the client.
- Rotate the secret on suspected exposure and invalidate tokens signed with the old one.
More secret generators
Every generator below is the same local, Web Crypto powered tool, preset for a different job. Nothing you generate leaves your browser.
- Secure Password GeneratorPasswords, secrets, tokens and PINs in one place.
- OpenSSL Rand Generatoropenssl rand style base64 and hex secrets.
- API Key GeneratorOpaque, high entropy keys for API auth.
- Random Token GeneratorSession, reset and verification tokens.
- Passphrase GeneratorMemorable multi word passphrases.
- PIN GeneratorQuick numeric PIN codes.
Frequently asked questions
How long should a JWT secret be?
For HS256, at least 32 bytes (256 bits), matching the SHA-256 output. 32 to 64 random bytes is the common range. Longer than the hash size adds little benefit.
Can I use a password as my JWT secret?
You should not. Passwords have low entropy and are guessable. Use a fully random secret from a CSPRNG, which is what this generator produces.
base64url or hex for the secret?
Either works as long as the byte count is right. This tool defaults JWT secrets to base64url, which is compact and safe to store in config and headers.
Where should I store the JWT secret?
In an environment variable or a dedicated secret manager on the server. Never commit it to a repository or expose it to the browser.