.env · security🔥 popular

NextAuth Secret Generator

Generate a cryptographically strong AUTH_SECRET or NEXTAUTH_SECRET for Auth.js v5 and NextAuth v4. All in-browser — nothing is sent to any server.

Be the first to rate
generated locally · crypto.getRandomValues · nothing sent anywhere
Auth.js v5 (Next.js 14+)
AUTH_SECRET — recommended for Auth.js v5 / next-auth v5
Raw secret
.env line
AUTH_SECRET=
NextAuth.js v4
NEXTAUTH_SECRET — legacy variable for next-auth@4
Raw secret
.env line
NEXTAUTH_SECRET=
JWT Secret (HS256/HS384, 48 bytes)
Higher entropy for custom JWT signing
Raw secret
.env line
JWT_SECRET=
CLI alternative
Auth.js built-in
npx auth secret
OpenSSL
openssl rand -base64 32

What it does

  • Generates AUTH_SECRET for Auth.js v5
  • Generates NEXTAUTH_SECRET for NextAuth v4
  • 32-byte base64url by default (matching openssl rand -base64 32)
  • Runs entirely in-browser with crypto.getRandomValues
  • One-click copy of raw secret or full .env line

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Bootstrapping a new Next.js app with Auth.js authentication
  • Rotating AUTH_SECRET after it was accidentally committed to git
  • Generating separate secrets for staging and production environments
  • Adding authentication to a Next.js project deployed on Vercel

Common mistakes

  • Using the same AUTH_SECRET in development and production
  • Committing AUTH_SECRET to git — add .env.local to .gitignore
  • Doing a rolling deploy when rotating the secret — all instances must get the new secret simultaneously
  • Using a short or password-derived secret — minimum 32 bytes of true randomness required

AUTH_SECRET vs NEXTAUTH_SECRET

Auth.js v5 renamed the environment variable from NEXTAUTH_SECRET to AUTH_SECRET. If you are starting a new project today, use AUTH_SECRET. If you are on next-auth@4, use NEXTAUTH_SECRET. Both require the same thing: a random, high-entropy string kept secret on the server.

What does the secret actually do?

Auth.js uses the secret to sign and verify JWTs (session tokens), to encrypt cookies, and to derive CSRF tokens. The minimum safe length is 32 bytes (256 bits), encoded as base64. This matches what openssl rand -base64 32 produces and what npx auth secret generates.

How to add it to your project

  1. Copy the generated value and paste it into your .env.local:
    AUTH_SECRET=<paste here>
  2. Add it to your hosting provider (Vercel, Railway, Fly.io) under production environment variables — never check it into git.
  3. Add the key with a blank value to .env.example:
    AUTH_SECRET=

Rotating the secret

Rotate if you suspect the secret was exposed. When you rotate, all existing sessions immediately invalidate — users are logged out. Auth.js v5 supports an array value for graceful rotation (new secret first, old secret still accepted). Deploy atomically — never mix old and new secrets across instances.

Frequently asked questions

AUTH_SECRET vs NEXTAUTH_SECRET — which do I use?

Auth.js v5 (the successor to NextAuth v4) renamed the variable from NEXTAUTH_SECRET to AUTH_SECRET. If you are starting a new project today with next-auth@5 or auth@latest, use AUTH_SECRET. If you are on next-auth@4, use NEXTAUTH_SECRET. Both require the same thing: a random, high-entropy string kept secret on the server.

What happens if AUTH_SECRET leaks?

An attacker with your secret can forge session tokens and impersonate any user in your application. Rotate immediately: generate a new secret, update it in all environments (preview, staging, production), and redeploy atomically. A rolling deploy with mixed secrets breaks auth for users mid-session.

Is this the same as running openssl rand -base64 32?

Yes — functionally identical. This tool uses crypto.getRandomValues (the browser's CSPRNG) to generate 32 bytes and encodes them as standard base64, exactly matching openssl rand -base64 32 output. You can use either method.

Does Auth.js support graceful secret rotation?

Yes. Auth.js v5 supports an array value for AUTH_SECRET — the first entry is used for signing new tokens, and remaining entries are accepted for verification. This allows a zero-downtime rotation: add the new secret first, deploy, then remove the old secret in a follow-up deploy.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.