Generate cryptographically random secrets in your browser — JWT signing keys, API keys, password salts, .env secrets, session IDs. Multiple bit lengths and output formats. Nothing ever leaves your device.
Generate cryptographically random secrets for API keys, JWT signing keys, password salts, and session tokens. Generated entirely in your browser — nothing is sent to the server.
Cryptographically random output. Copy what you need — nothing is logged.
Bytes are generated with window.crypto.getRandomValues
and encoded into the chosen format. Secrets are never sent to or stored on the server.
Practical guide to picking a bit length for common use cases.
| Bits | Bytes | Suggested use |
|---|---|---|
| 64 | 8 | Throwaway tokens, short-lived nonces only. Not for credentials. |
| 128 | 16 | Session IDs, password salts, CSRF tokens. |
| 256 | 32 | Recommended baseline. JWT HS256 keys, API keys, .env secrets, master keys. |
| 384 | 48 | HS384 signing keys, where 256 bits is too short by spec. |
| 512 | 64 | HS512 signing keys, ASP.NET Data Protection master keys, encryption keys for AES-256-GCM with extra header. |
| 1024+ | 128+ | Specialised cryptographic protocols, key derivation inputs, paranoia. |
Read before using a generated secret.
Use base64url (URL-safe, no padding) for secrets that go into URLs, JWTs, cookies, or environment variables — it avoids encoding pitfalls.
Use hex when you need an even-length, dot-friendly identifier (e.g. session IDs, log correlation tokens).
Never reuse a generated secret across environments. Generate a fresh one for each of dev, staging, and production. Store in a secrets manager, not in source control.
For password hashing, use bcrypt, scrypt, or Argon2 — not a raw random salt with a plain hash. This tool generates the random component; the hashing should happen in your application.