JWT Secret Generator
Generate a cryptographically random HMAC secret for HS256, HS384, or HS512: entirely in your browser via the Web Crypto API. No secret ever leaves your machine.
Generated locally with crypto.getRandomValues: nothing is sent to a server.
Generate a JWT secret online
A JWT HS256 secret is a symmetric key: the same string signs
and verifies tokens. Its security depends entirely on its entropy. This
generator produces cryptographically random bytes with the Web Crypto API
(crypto.getRandomValues) and encodes them as
base64url, base64, or hex. The
secret never leaves your browser, so it is safe to use even when
generating production secrets: copy the output directly into your
secrets manager.
How long should an HS256 secret be?
The minimum is 32 bytes (256 bits) for HS256, 48 bytes for HS384, and 64 bytes for HS512. Not a password, UUID, or memorable phrase: those are brute-forceable offline with hashcat once an attacker captures any valid token. A 32-byte CSPRNG-generated secret is effectively unbreakable with current hardware. For the full algorithm reference, see HS256.
Test your existing JWT secret's strength
The output field above is editable. Paste your current secret into it and the strength meter grades it Weak, Fair, or Strong: pairing a text label with color so the result is clear without relying on color alone. The meter flags known-weak literals (the JWT.io example, common passwords) and short or low-entropy values. If your secret grades below Strong, rotate it. For the full vulnerability writeup, see weak HMAC secret keys.
Frequently asked questions
-
How do I generate a JWT secret?
Use a CSPRNG to produce at least 32 bytes of cryptographically random data for HS256 (48 for HS384, 64 for HS512), then encode it as base64url, base64, or hex. The tool above does this in your browser via crypto.getRandomValues: nothing is sent to a server. From a terminal, use openssl rand -base64 32, crypto.randomBytes(32) in Node.js, or secrets.token_urlsafe(32) in Python. Never use a password, UUID, or memorable phrase as an HS256 secret: weak secrets can be brute-forced offline with hashcat once an attacker captures any valid token.
-
How long should a JWT HS256 secret be?
At least 32 bytes (256 bits). HS384 requires 48 bytes, HS512 requires 64 bytes. The secret must be cryptographically random: not a password, UUID, or human-readable string. A 32-byte random secret is effectively unbreakable with current hardware; a weak secret falls in seconds to minutes with hashcat -m 16500 against a captured token.
-
Is this JWT secret generator safe to use for production?
Yes. The generator uses the Web Crypto API (crypto.getRandomValues), which is the browser's cryptographically secure random number generator: the same CSPRNG your operating system provides. The generated secret never leaves your browser; there are no server requests. For production, copy the generated secret into your secrets manager (AWS Secrets Manager, Doppler, Vault) or environment variable: never commit it to source control.
-
What encoding should I use for a JWT secret?
base64url is the JWT-preferred encoding (RFC 7515 uses base64url throughout) and produces the most compact string with no + or / characters that need escaping. base64 is the most widely supported. hex is human-readable and easy to paste into config files but is twice as long. All three encode the same random bytes: pick whichever your JWT library and secrets manager accept.
-
Can I test the strength of my existing JWT secret here?
Yes. The output field above is editable: paste your existing secret into it and the strength meter re-evaluates instantly. The meter grades the secret Weak, Fair, or Strong based on estimated entropy and flags known-weak literals (like the JWT.io example 'your-256-bit-secret' and common passwords). If your secret grades Weak or Fair, rotate it to a 32-byte CSPRNG-generated value as soon as possible.