ToolkitBook
Create cryptographically secure secret keys for JWT signing directly in your browser. Select the key length that matches your required algorithm—256 bits for HS256, 384 bits for HS384, or 512 bits for HS512. Choose from Hex, Base64, or Base64URL formats, or define a custom character set. All randomness is derived from the browser's native Web Crypto API.
HMAC with SHA-256. The most common symmetric algorithm for JWT signing.
Recommended: 256-bit keyHMAC with SHA-384. A stronger hash for tighter security requirements.
Recommended: 384-bit keyHMAC with SHA-512. The strongest option for highly sensitive applications.
Recommended: 512-bit keyA JWT (JSON Web Token) secret key is a cryptographic string used to sign and verify tokens in authentication systems. During token creation, the secret key is combined with the header and payload to generate a unique signature. This signature ensures the token's integrity; if the payload is altered, the signature will no longer match, and the token will be rejected.
Alphanumeric mode generates keys using hexadecimal or Base64-encoded bytes. This is the standard format expected by the vast majority of JWT libraries. Special Characters mode utilizes a broader character set, including symbols like !@#$%. While this packs more entropy into each character—resulting in a shorter string for the same security level—verify that your specific JWT library supports these characters before use.
For most production applications, 256 bits is the industry standard and the minimum requirement for the HS256 algorithm. High-security environments, such as financial or healthcare systems, may require 384 or 512 bits. As a general rule, match the key length to your algorithm: HS256 requires at least 256 bits, HS384 requires 384, and HS512 requires 512.
The Encryption Strength slider determines the security level in bits, not the total number of characters. A larger character set provides more entropy per character, which means fewer characters are needed to reach the same security threshold. For a 256-bit security level:
Regardless of the character count, all three formats offer the same resistance to brute-force attacks.
+ and / with - and _. This makes the key safe for use in URLs without additional encoding.
This tool uses crypto.getRandomValues(), the standard browser API for generating cryptographically strong random numbers. It draws entropy from the underlying operating system (such as /dev/urandom on Unix or CryptGenRandom on Windows). Unlike Math.random(), which is predictable, this method is suitable for generating production-grade secrets.
The randomness is cryptographically sound, and all generation happens locally on your machine. No data is transmitted to an external server. However, you are responsible for the secure storage of the generated key. Use environment variables or a dedicated key management service (KMS), and never commit secret keys to version control systems like Git.
It is best practice to rotate your secret keys every 90 to 180 days, or immediately if you suspect a compromise. When rotating keys, implement a transition period where both the old and new keys are valid to prevent active user sessions from being abruptly terminated.
If you prefer to generate keys locally without a browser, you can use the following commands:
OpenSSL (Linux / macOS):
openssl rand -hex 32 (Generates a 64-character hex string / 256 bits)openssl rand -base64 32 (Generates a Base64 key at 256-bit strength)Python:
python3 -c "import secrets; print(secrets.token_hex(32))"Node.js:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"exp (expiration), iss (issuer), and aud (audience) claims.httpOnly and Secure cookies to mitigate XSS risks.