How to Generate Secure Secret Keys
What makes a key "secure," why entropy matters, and how to generate keys you can trust.
6 min read Read PasswordsHow to Create Strong Passwords and Passphrases
Length beats complexity. How to build passwords and passphrases that resist modern attacks.
6 min read Read TokensAPI Tokens and Bearer Tokens Explained
Opaque tokens, bearer auth, prefixes like sk_ and pk_, and how to generate them safely.
6 min read Read API keysAPI Keys: Generation and Best Practices
How to format, store, rotate, and revoke API keys without leaking them.
7 min read Read JWTJWT Secrets and Signing with HS256/384/512
How JSON Web Tokens are signed, how big your HMAC secret should be, and common pitfalls.
7 min read Read HashingCryptographic Hash Functions Explained
What hashes are for, what they are not for, and why salting matters.
6 min read Read HashingSHA-256, SHA-384, and SHA-512 Explained
The SHA-2 family compared: output sizes, performance, and when to choose each.
6 min read Read EncryptionEncryption Keys and AES-128/192/256
Symmetric keys, IVs, salts, and why 256-bit AES is the sensible default.
6 min read Read IdentifiersUUIDs Explained: v4, v7, ULID and More
Random vs sortable IDs, UUID v7, ULID, ObjectIDs, and how to pick the right one.
7 min read Read FundamentalsWhat Is Entropy and Why It Matters for Secrets
Entropy is the real measure of secret strength. What bits mean and how to keep them.
6 min read Read RandomnessCSPRNG vs PRNG: Why Math.random() Isn't Safe
Why predictable randomness breaks secrets, and which secure RNG to use on each platform.
6 min read Read IntegrityHMAC Explained: Keyed Hashing for Integrity
How a secret key plus a hash proves a message is authentic — and how to verify it safely.
7 min read Read PasswordsSalting and Peppering: Protecting Stored Passwords
Why plain hashes fail and how salts, peppers, and slow hashing keep stored passwords safe.
7 min read Read 2FATOTP and Authenticator App Secrets Explained
The Base32 shared secret, otpauth URIs, and how those 6-digit codes are derived.
6 min read Read EncodingBase64, Base64URL, and Hex: Encoding Secrets
Encoding isn't encryption. How each format represents bytes and which one to choose.
6 min read Read Key pairsRSA vs ECDSA: Choosing a Key Pair
How public/private keys work and how RSA, ECDSA, and Ed25519 compare on size and speed.
7 min read Read IdentifiersNanoID, Base58, and Short ID Generation
When a UUID is overkill: compact, URL-safe IDs and how to reason about collisions.
6 min read Read OperationsManaging Secrets: .env Files vs Secret Managers
Where secrets should live, how to keep them out of Git, and when to use a secret manager.
7 min read Read OperationsSecret Rotation: When and How to Rotate Keys
Why and when to rotate, and how to roll keys with zero downtime using versioning.
7 min read Read OperationsWebhook Secrets and Signature Verification
How HMAC signatures protect webhook payloads and why you must verify them with constant-time comparison.
6 min read Read AuthOAuth 2.0 Client Secrets Explained
Client ID vs client secret, which flows require them, and how to keep them out of front-end code.
7 min read Read PasswordsBcrypt, scrypt, and Argon2: Choosing a Password Hasher
Why fast hashes fail for passwords and how to tune Argon2id, bcrypt, and scrypt cost parameters.
7 min read Read EncryptionTLS Certificates and Private Keys Explained
How the certificate chain proves identity, what the private key does, and why it must never leave your server.
7 min read Read TokensSigned Cookies and Session Tokens
How HMAC-signed cookies work, the security attributes every session cookie needs, and when to use sessions vs JWTs.
6 min read Read OperationsCI/CD Secrets Hygiene: GitHub Actions and Pipelines
Encrypted secrets, masked output, OIDC token auth, and the mistakes that leak credentials in build pipelines.
7 min read Read