Browser-only
Generation and export both stay in the browser.
JWT Secret Generator
Generate secure JWT signing secrets directly in your browser. Everything stays on device and nothing is sent to a server.
Generate a JWT signing secret
Base64URL is the recommended format because it is easy to paste into `.env` files.
Secret
.env format
JWT_SECRET=""StrengthExtremely strong
- Length
- 64 bytes
- Characters
- —
- Estimated entropy
- 512 bits
- Recommendation
- A strong default for production use.
JWT secret overview
What is a JWT secret?
It is the secret string used to sign and verify JWTs. For HMAC algorithms such as HS256, the same secret is used for signing and verification.
Recommended length
When in doubt, choose 64 bytes or more. Avoid short words, reused passwords, and predictable values.
JWT_SECRET vs NextAuth secret
JWT_SECRET is for general JWT use, while NextAuth secret is for NextAuth.js / Auth.js. They should usually be managed separately.
Safety notes
The generated secret is created only in this browser. Do not commit it to public repositories; store it in .env.local or production environment variables, and use separate values for development and production when possible.
FAQ
How long should a JWT secret be?
For production, a random value around 64 bytes is a good default.
Can the secret include symbols?
Yes, but Base64URL is usually easier to handle in `.env` files.
Is the generated secret sent to a server?
No. Generation happens entirely in your browser and the secret is not uploaded.
Should I separate JWT_SECRET and ACCESS_TOKEN_SECRET?
Yes, if you manage access and refresh tokens separately, keep their secrets separate too.
Browse all generators
Open the full generators page to compare tools and switch to another one.
Safety
No upload
Your input is never sent to a server.
No storage
Reloading clears the input and output.