JWT Secret Key Generator
Generate cryptographically secure secret keys for HS256, HS384, and HS512 JWT signing.
About HMAC JWT Secret Keys
HMAC-based JWT algorithms (HS256, HS384, HS512) use a shared secret key to both sign and verify tokens. The number suffix indicates the SHA hash size used: 256, 384, or 512 bits.
Key length requirements
RFC 7518 §3.2 Per RFC 7518 §3.2, the key must be at least as long as the hash output:
- HS256 — minimum 256 bits
- HS384 — minimum 384 bits
- HS512 — minimum 512 bits
Security notes
- Keys are generated entirely in your browser using the Web Crypto API — nothing is sent to a server.
- Store the secret in a secret manager (e.g. AWS Secrets Manager, HashiCorp Vault) — never in source code or environment files committed to version control.
- HMAC algorithms use a symmetric key: any party with the secret can both sign and verify tokens. For asymmetric signing, use RS256 or ES256 instead.
Frequently Asked Questions
- What is a JWT secret key?
- A JWT secret key is used by HMAC-based algorithms (HS256, HS384, HS512) to both sign and verify tokens. Any party holding the secret can issue valid tokens, so it must be kept confidential.
- How long should a JWT secret be?
- RFC 7518 requires the key to be at least as long as the hash output: 256 bits for HS256, 384 bits for HS384, and 512 bits for HS512. Longer keys provide no additional security beyond the algorithm's hash size.
- Is it safe to generate a key here?
- Yes. Keys are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues). Nothing is transmitted to a server.
- What format is the output?
- Keys are encoded as base64url — the standard encoding for JWT-related binary data. You can use the value directly as the secret in libraries like jsonwebtoken or jose.
- When should I use HMAC instead of RSA or ECDSA?
- Use HMAC (HS256/HS384/HS512) when a single service both issues and verifies tokens. Use asymmetric algorithms (RS256, ES256) when multiple services need to verify tokens but only one should sign them.
Learn more about JWT
- How to Generate a JWT Secret Key for HMAC Algorithms Learn how to generate a secure JWT secret key for HMAC algorithms (HS256, HS384, HS512) using OpenSSL, Python, Node.js, or an online generator.
- Step-Up Authentication with Auth0 If you're using Auth0 for authentication, you can implement step-up authentication by leveraging the ID token and its claims. Learn how to enforce step-up authentication based on the user's context or the requested operation.
- Step-Up Authentication with OpenID Connect If you're using OpenID Connect for authentication, you can implement step-up authentication by leveraging the ID token and its claims. Learn how to enforce step-up authentication based on the user's context or the requested operation.
- Understanding OpenID Connect and OAuth 2.0 Tokens OpenID Connect and OAuth 2.0 have are several types of tokens, each serving distinct purposes. In this article, we’ll explore the different tokens, their formats, and their appropriate use cases.
- JWT Signing Algorithms: How to choose the right one? Choosing the right JWT signing algorithm is crucial to ensure the security of your application. In this article, we will discuss the different algorithms available and how to choose the right one.
- JWT or Opaque Token : What is the best choice for M2M? JWT or Opaque Tokens can serve both as authentication mechanisms for Machine to Machine (M2M) communications. But what is the best choice between each solution?