.env · security

JWT Secret Generator

Generate a random JWT secret key instantly — base64url-encoded, correct byte length for HS256, HS384, and HS512. 100% client-side, nothing uploaded.

Be the first to rate
base64url-encoded · crypto.getRandomValues · in-browser only
HS256 (32 bytes)
Minimum for HMAC-SHA256
Secret
.env line
JWT_SECRET=
HS384 (48 bytes)
HMAC-SHA384 — recommended default
Secret
.env line
JWT_SECRET=
HS512 (64 bytes)
Maximum entropy for HMAC-SHA512
Secret
.env line
JWT_SECRET=
CLI alternatives
HS256
openssl rand -base64 32
HS384
openssl rand -base64 48
HS512
openssl rand -base64 64

What it does

  • HS256: 32-byte base64url secret (256-bit minimum)
  • HS384: 48-byte base64url secret (384-bit)
  • HS512: 64-byte base64url secret (512-bit maximum entropy)
  • All generated locally via crypto.getRandomValues
  • One-click copy of raw secret or full JWT_SECRET= .env line

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Bootstrapping a new API with JWT authentication
  • Rotating a compromised or weak JWT secret
  • Setting JWT_SECRET for a Node.js, Go, or Python service
  • Choosing the right algorithm (HS256 vs HS512) for your threat model

Common mistakes

  • Using a password or passphrase as the secret — low entropy, trivially crackable with hashcat
  • Using the same secret across development and production
  • Not rotating after a secret is accidentally logged or committed to git
  • Choosing HS256 with a key shorter than 32 bytes — this weakens the algorithm

Which algorithm and key size should I use?

The HMAC key must be at least as long as the hash output to avoid weakening the algorithm:

  • HS256 — SHA-256 produces 32 bytes; your key should be ≥ 32 bytes
  • HS384 — SHA-384 produces 48 bytes; your key should be ≥ 48 bytes
  • HS512 — SHA-512 produces 64 bytes; your key should be ≥ 64 bytes

For most applications, HS256 with a 32-byte key is sufficient. Use HS512 for maximum entropy — token size increases slightly but signing speed is not meaningfully different.

HMAC vs RSA/ECDSA — when to use which

HMAC (HS*) uses the same secret for signing and verification. Use it when both the issuer and verifier are the same service. If different services need to verify tokens without being able to issue them, use RSA (RS256) or ECDSA (ES256) — the private key signs, the public key verifies.

Why not just use a password?

Passwords are low-entropy by design. A JWT secret needs full cryptographic entropy — 256 bits (HS256) or more. Password-derived secrets can be cracked in minutes with tools like hashcat. A properly generated secret cannot be brute-forced in any practical timeframe.

Frequently asked questions

What is the minimum secure key length for HS256?

The HMAC key must be at least as long as the hash output to avoid weakening the algorithm. For HS256 (SHA-256) that is 32 bytes / 256 bits. This tool generates exactly 32 bytes for HS256, 48 for HS384, and 64 for HS512.

Should I use HMAC (HS256) or RSA/ECDSA (RS256/ES256)?

Use HMAC when both the issuer and verifier are the same service — simpler and faster. Use RSA or ECDSA when different services need to verify tokens without being able to issue them. With RSA/ECDSA, the private key signs and the public key (served at /.well-known/jwks.json) verifies. HMAC secrets must never be shared publicly.

What happens if my JWT secret is compromised?

An attacker with your secret can forge any token and impersonate any user. Rotate immediately: generate a new secret, redeploy, and invalidate all existing tokens (either by changing the secret or maintaining a token blocklist during the transition).

Is the generated secret stored anywhere?

No. The secret is generated using crypto.getRandomValues in your browser and displayed only to you. Nothing is sent to any server or logged.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.