ToolskuyAll Tools
๐Ÿ—๏ธ

Secret Key Generator

Generate cryptographically secure secret keys for JWT signing, API authentication, webhook validation, session secrets, and encryption. All keys are generated locally in your browser โ€” nothing is sent to any server.

Keys are generated entirely in your browser using Web Crypto API. Nothing is sent to any server.

QUICK PRESETS

64
8256

Character Set

Generated Key
Very Strong ยท 381 bits
0KzwxmfNEy1tw9LxsrZHQjMKjZqwQESSYbUjTcoBvI0aUhXE9m9MDhYs0gkIYyuz
Security reminder: Never commit secret keys to version control. Store them in environment variables (.env) or a secrets manager (like Vercel Secrets, AWS Secrets Manager, or HashiCorp Vault).

How It Works

This tool generates random keys using crypto.getRandomValues() โ€” the same Web Crypto API used by browsers for TLS, HTTPS handshakes, and cryptographic operations. This is a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), fundamentally different from Math.random() which is not suitable for security-sensitive values.

To prevent modulo bias (where some characters would appear more frequently than others), the tool uses rejection sampling: if a random value falls outside the largest multiple of the charset length that fits in a 32-bit integer, it discards that value and generates a new one. This guarantees a uniform distribution across all characters.

๐Ÿ”
JWT Secret
64+ chars, alphanumeric, for HS256/HS512 signing
๐Ÿ”‘
API Key
32 chars, alphanumeric, for REST API authentication
๐Ÿ”—
Webhook Secret
40 chars for HMAC signature verification
๐Ÿ›ก๏ธ
Session Secret
48+ chars for server-side session management

Why Use a Dedicated Secret Key Generator?

Many developers make the mistake of using weak or predictable values as secret keys โ€” short strings, project names, or passwords. A compromised JWT secret allows attackers to forge valid tokens and impersonate any user. A compromised API key exposes your backend. A compromised webhook secret allows request forgery.

This generator creates keys with sufficient entropy (minimum 128 bits recommended, 256+ bits for long-term secrets) using a vetted cryptographic source. The entropy meter shows you exactly how strong your key is in bits, making it easy to meet security compliance requirements.

Frequently Asked Questions

Yes. The generator uses window.crypto.getRandomValues() โ€” the Web Crypto API โ€” which is the browser-native CSPRNG (Cryptographically Secure Pseudo-Random Number Generator). It also uses rejection sampling to eliminate modulo bias, ensuring every character in the charset has an equal probability of being selected.
Passwords are designed to be memorable by humans. Secret keys are designed to be unguessable by machines โ€” they are long, random, and never typed manually. Secret keys are used in server-to-server communication, JWT signing, API authentication, session management, and encryption. They should always be stored in environment variables or secrets managers, never in code.
For HS256 JWT signing, a minimum of 32 bytes (64 hex characters or alphanumeric) is recommended. For HS512, use 64 bytes. This tool defaults to 64 characters which provides approximately 381 bits of entropy with a mixed character set โ€” well above the recommended minimum.
No. Key generation happens entirely in your browser using the Web Crypto API. The generated key is never transmitted over the network, stored in any database, or logged anywhere. You can verify this by running the tool offline โ€” it works with no internet connection.
For most use cases (JWT, API keys, session secrets), alphanumeric keys (uppercase + lowercase + numbers) are preferred because they avoid shell-escaping issues when used in .env files or CLI arguments. Enable symbols only if your environment guarantees correct escaping of special characters.
The Password Generator is optimized for human-memorable passwords used in login forms. The Secret Key Generator is optimized for machine-to-machine authentication: it offers longer lengths (up to 256 chars), shows entropy bits, provides developer-specific presets (JWT, API key, webhook, encryption, session), and includes a security reminder about how to properly store keys in production.
Ambiguous characters are those that look visually similar: 0 (zero) and O (letter O), 1 (one) and l (lowercase L) and I (uppercase i). For secret keys used programmatically this rarely matters, but if you ever need to manually read or transcribe a key, excluding these characters reduces transcription errors.
Yes. Once the page has loaded, the key generator works entirely offline. The Web Crypto API is available in all modern browsers without any internet connection.

Related Tools

๐Ÿ”

Password Generator

client
๐Ÿช™

JWT Decoder

client
๐Ÿ”’

Base64 Encode / Decode

client