Session Secret Generator
Create a strong SESSION_SECRET for Express sessions, signed cookies, and server-side auth state.
For Express sessions, cookie signing, and app-level SESSION_SECRET values.
288 bits entropy
Use 48-64 characters for production session, JWT, and webhook secrets.
Generated Secret Keys
Generated locally in your browser with secure random values.
Environment Variable
Copy directly into .env, Fly.io secrets, Vercel, Render, or Docker env files.
SESSION_SECRET="..."
JWT Secret Generator
Generate long random values for symmetric JWT signing with HS256 or HS512.
NextAuth Secret Generator
Copy a production-ready AUTH_SECRET or NEXTAUTH_SECRET for Auth.js apps.
HMAC Secret Generator
Create webhook signing secrets for SHA-256 HMAC verification and API integrations.
// SECURE_RANDOM_BROWSER_ONLY
Generate secure secrets without sending data to a server
This free secret key generator creates random values in your browser using the Web Crypto API. Use it for session secrets, JWT secrets, HMAC secrets, webhook signing keys, API token seeds, and deployment environment variables.
Prefer long secrets with at least 48 characters for production apps. Store them as environment variables such as
SESSION_SECRET, JWT_SECRET, AUTH_SECRET, or WEBHOOK_SECRET.
Secret Key Generator FAQ
What is a session secret?
A session secret is a private random value used to sign session cookies and prevent tampering. It should be long, unpredictable, and stored in an environment variable.
How long should a secret key be?
Use at least 32 characters for development and 48 to 64 characters for production secrets such as JWT, session, HMAC, and webhook signing keys.
Are generated secret keys sent to a server?
No. The generator runs in your browser with the Web Crypto API, so generated secrets are not uploaded, logged, or stored by TOOlover.
Can I use this for JWT or HMAC signing?
Yes. Generate a long Base64URL or hex value and store it as JWT_SECRET, AUTH_SECRET, SESSION_SECRET, or WEBHOOK_SECRET depending on your app.