Server Secret Generator
Generate secure server keys for S2S APIs, webhooks, JWT, sessions, encryption, and PKCE.
Unlimited | No signup | Client-side by default
Quick picks
Auto-generated secrets. Refresh until you find one you like, then copy.
Use 64 bytes instead of 32.
Advanced options
How to use (Node.js)
Use for private service to service calls between backends. The generator is already configured to this preset.
const apiKey = process.env.S2S_PRIVATE_API_KEY;
if (req.headers["x-api-key"] !== apiKey) {
res.status(401).end();
}Server-to-Server (S2S) API Key Generator
Use a private API key for internal services and backend to backend calls. Rotate it on a schedule.
Default: 32 bytes, base64url.
Webhook Signing Secret Generator (HMAC-SHA256)
Use an HMAC SHA256 secret to verify webhook signatures and reject tampered payloads.
Default: 32 bytes, base64url.
JWT Secret Generator (HS256)
Generate a strong HS256 secret for JWT signing when a single service owns the key.
Default: 32 bytes, base64url.
JWT Keypair Generator (RS256 / ES256)
Generate RS256 or ES256 JWT keypairs for public verification and safer key distribution.
Default: ES256 (P-256) keypair.
AES-256-GCM Key Generator
Generate 32 byte keys for AES-256-GCM encryption. Always use a unique nonce.
Default: 32 bytes, base64url.
XChaCha20-Poly1305 Key Generator
Generate 32 byte keys for XChaCha20-Poly1305 using libsodium or compatible libraries.
Default: 32 bytes, base64url.
OAuth PKCE Verifier + Challenge Generator
Generate a PKCE verifier and S256 challenge for OAuth authorization flows.
Default: verifier length 64 chars, S256 challenge.
Security notes
- - Client-side generation uses crypto.getRandomValues.
- - No localStorage, cookies, or persistence.
- - Server fallback responses are no-store when used.
FAQ
Is this server secret generator client-side?
Yes, by default. Random tokens (API keys, webhook secrets, JWT/session secrets, encryption keys) and PKCE values are generated in your browser using Web Crypto (crypto.getRandomValues and crypto.subtle when available).
When are secrets generated on the server?
Only when you enable “Server fallback” for JWT keypair generation. In that mode, the keypair is generated server-side and returned to your browser. If you need strictly client-side generation, keep Server fallback turned off.
Do you store, log, or track generated secrets?
No. Generated values live only in memory on this page. We don’t persist secrets in localStorage/cookies, and we don’t intentionally send secrets in analytics payloads.
Are generated secrets ever sent over the network?
Not for the default client-side generators. The only network call in this tool is the optional keypair “Server fallback”; if enabled, your browser requests a keypair and receives PEM strings in the response.
Which preset should I use (API key vs webhook secret vs JWT vs session)?
Use “Server-to-Server (S2S) API Key” for internal service auth, “Webhook Signing Secret” for verifying provider webhooks (HMAC), “JWT Secret (HS256)” for symmetric JWT signing, “JWT Keypair (RS256/ES256)” for asymmetric JWT signing with shared public keys, and “Session / Cookie Secret” for signing cookies or server sessions.
How long should an API key or webhook signing secret be?
32 random bytes (256 bits) is a strong default for API keys and HMAC webhook secrets. Use 64 bytes when you want extra margin and your integration doesn’t have length limits.
base64url vs hex: which encoding should I choose?
Use base64url for most cases: it’s compact, URL-safe, and copy/paste friendly. Use hex when a library explicitly expects hex strings (note hex is longer: 32 bytes becomes 64 hex characters).
AES-256-GCM and XChaCha20-Poly1305 keys: should I use 32 or 64 bytes?
Use 32 bytes. AES-256 and XChaCha20-Poly1305 require 256-bit (32-byte) keys. If you need to derive keys from longer secrets, use a KDF (like HKDF/scrypt/Argon2) instead of passing a 64-byte value directly as a cipher key.
HS256 vs RS256 vs ES256 for JWT: which should I use?
Use HS256 only when one trusted backend both signs and verifies tokens (shared secret). Use RS256 or ES256 when multiple services need to verify tokens without sharing the private key (publish the public key).
How do I store JWT PEM keys in a .env file?
Use the “.env” copy format. When reading it in Node.js, convert escaped newlines back to real newlines (for example: process.env.JWT_PRIVATE_KEY?.replace(/\\n/g, "\n")).
What is OAuth PKCE and where do verifier/challenge go?
PKCE protects OAuth public clients. Send the S256 code_challenge in the authorization request, and send the verifier only when exchanging the authorization code for tokens at the token endpoint.
What does “Prefix” do, and is it safe?
Prefix prepends a readable label (for example: “prod_” or “api_”) to the generated random value. It’s safe as long as the random part remains long and secret; prefixes are not a security feature.
What does “Alnum only” mean for session / cookie secrets?
It restricts output to letters and numbers for compatibility with strict parsers. This reduces entropy per character, so keep a long secret and prefer the default output unless you truly need compatibility mode.
Should I commit generated secrets to Git or share them in Slack?
No. Treat generated values as credentials. Store them in a secret manager or environment variables, avoid pasting into issues/logs, and be careful when screen sharing (the output box contains real secrets).
Can I use this tool offline?
After the page is loaded, generating values doesn’t require a network connection. However, offline availability depends on whether your browser has cached the page assets.
Do I need to rotate secrets and keys?
Yes. Rotate long-lived secrets on a schedule and immediately after any suspected exposure. Plan for rotation (key IDs, overlapping validity windows, or dual-accept during migration) so you can rotate without downtime.
Generated locally using Web Crypto when possible.
No secrets stored.