JWT Secret Key Generator

Generate cryptographically secure secret keys for HS256, HS384, and HS512 JWT signing.

About HMAC JWT Secret Keys

HMAC-based JWT algorithms (HS256, HS384, HS512) use a shared secret key to both sign and verify tokens. The number suffix indicates the SHA hash size used: 256, 384, or 512 bits.

Key length requirements

RFC 7518 §3.2 Per RFC 7518 §3.2, the key must be at least as long as the hash output:

  • HS256 — minimum 256 bits
  • HS384 — minimum 384 bits
  • HS512 — minimum 512 bits

Security notes

  • Keys are generated entirely in your browser using the Web Crypto API — nothing is sent to a server.
  • Store the secret in a secret manager (e.g. AWS Secrets Manager, HashiCorp Vault) — never in source code or environment files committed to version control.
  • HMAC algorithms use a symmetric key: any party with the secret can both sign and verify tokens. For asymmetric signing, use RS256 or ES256 instead.

Frequently Asked Questions

What is a JWT secret key?
A JWT secret key is used by HMAC-based algorithms (HS256, HS384, HS512) to both sign and verify tokens. Any party holding the secret can issue valid tokens, so it must be kept confidential.
How long should a JWT secret be?
RFC 7518 requires the key to be at least as long as the hash output: 256 bits for HS256, 384 bits for HS384, and 512 bits for HS512. Longer keys provide no additional security beyond the algorithm's hash size.
Is it safe to generate a key here?
Yes. Keys are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues). Nothing is transmitted to a server.
What format is the output?
Keys are encoded as base64url — the standard encoding for JWT-related binary data. You can use the value directly as the secret in libraries like jsonwebtoken or jose.
When should I use HMAC instead of RSA or ECDSA?
Use HMAC (HS256/HS384/HS512) when a single service both issues and verifies tokens. Use asymmetric algorithms (RS256, ES256) when multiple services need to verify tokens but only one should sign them.

Learn more about JWT