January Sale - Secure Your Passwords
NordPass

Free JWT Secret Generator

Generate cryptographically random secrets for signing JSON Web Tokens (JWT) with HMAC algorithms. Defaults to 64 bytes (HS512-safe), output in base64url. Adjustable from 32 bytes (HS256) to 128 bytes for maximum margin.

512 bits — HS512-safe. Generated locally.

32B → HS25648B → HS38464B → HS512

How to use the secret

Drop it into your application configuration as JWT_SECRET, JWT_SIGNING_KEY, or whatever your framework calls it. Common examples:

  • Node / jsonwebtoken: jwt.sign(payload, process.env.JWT_SECRET, { algorithm: 'HS256' })
  • Python / PyJWT: jwt.encode(payload, JWT_SECRET, algorithm='HS256')
  • Go / golang-jwt: token.SignedString([]byte(jwtSecret))
  • Ruby / ruby-jwt: JWT.encode(payload, jwt_secret, 'HS256')

HS vs RS — which signing algorithm?

HS (HMAC) uses a shared secret — what this tool generates. Good for monolith services that issue and verify their own tokens. RS (RSA) and ES (ECDSA) use a public/private key pair. Use RS or ES when the verifying party should not be able to issue tokens (federation, third-party clients).

Frequently asked questions

A JWT secret is the symmetric key used to sign JSON Web Tokens with HMAC algorithms (HS256, HS384, HS512). Anyone with this secret can issue valid tokens for your service, so it must be at least as long as the hash output and stored securely.

RFC 7518 recommends a key at least as long as the hash output: 32 bytes (256 bits) for HS256, 48 bytes for HS384, 64 bytes for HS512. We default to 64 bytes which is safe for any HMAC algorithm.

base64url is the conventional choice and what most JWT libraries expect. Use base64 only for legacy systems. hex is the easiest to inspect by eye but takes 2× the storage of base64.

Every 90 days for production systems is a common standard. Always rotate after a suspected leak. Plan key rotation into your design from day one — many JWT libraries support multiple active keys for graceful rollover.

Yes. The secret is generated entirely in your browser using crypto.getRandomValues. Nothing is sent to a server, logged, or stored.

Related tools

NordVPN