Documentation | Generate Secret Keys

Overview

Generate Secret Keys creates secrets, keys, passwords, tokens, hashes, and utility values directly in the browser. Generated values are not intentionally transmitted to a server by the application. External CDNs are used for Bootstrap, Bootstrap Icons, and QR rendering, so an internet connection is needed for those assets unless you host them locally.

The generator uses crypto.getRandomValues() for random bytes and crypto.subtle for hashing, HMAC, JWT signing, and key pair generation where supported by the browser.

JWT Secret Keys

The JWT tab creates random secrets for HMAC-based JWT signing workflows such as HS256, HS384, and HS512.

Entropy bytes: Controls how many random bytes are generated. Higher values create longer, stronger secrets.
Output format: Choose Base64URL, Base64, hexadecimal, or readable ASCII.
Quantity: Generate one or many secrets at once.
JWT_SECRET prefix: Adds environment-style names such as JWT_SECRET_1=....
Enhanced layered output: Adds a structured prefix and extra random segments for a more identifiable secret format.
Timestamp tag: Appends a timestamp marker for tracking when a value was created.

JWT Tools

The JWT Tools tab helps test and inspect JSON Web Tokens locally.

JWT Signer: Signs a token from header JSON, payload JSON, a secret, and an algorithm.
Supported signing algorithms: HS256, HS384, and HS512.
Use generated secret: Pulls the latest JWT secret from the JWT generator into the signer.
JWT Decoder: Decodes the JWT header and payload into formatted JSON.
Load signed token: Moves the latest signed token into the decoder input.
QR output: Renders the signed JWT as a QR code when the QR library is available.

Secure Passwords

The Passwords tab creates random passwords and passphrases with configurable character sets.

Length: Sets password length from short to very long values.
Quantity: Generates multiple passwords in one run.
Symbols: Lets you define the allowed symbol set.
Uppercase, lowercase, numbers, symbols: Include or exclude major character groups.
Require each selected group: Ensures every selected character group appears in each generated password.
Exclude ambiguous characters: Removes visually similar characters such as O, 0, I, l, and 1.
Extra exclusions: Remove additional characters that may be problematic in config files, shells, or legacy systems.
Passphrases: Generates readable word-based secrets with separators and a numeric suffix.

Encryption Keys

The Encryption tab generates random keys suitable for AES-style workflows.

Key size: Choose 128-bit, 192-bit, or 256-bit keys.
Format: Output as hexadecimal, Base64, Base64URL, or byte arrays.
Quantity: Generate multiple keys at once.
Environment prefix: Adds ENCRYPTION_KEY_1=... style names.
Include IV: Adds a 96-bit initialization vector, commonly used with AES-GCM.
Include salt: Adds a 128-bit random salt alongside each key.

IDs and Random Strings

The IDs and Strings tab generates identifiers and compact random values. The Generator dropdown is grouped into UUID/GUID types, sortable database IDs, and random strings. The Length and Custom charset fields apply to the variable-length random string types (NanoID, Base58, URL slug, numeric PIN, and random string); the structured identifiers below have fixed formats and ignore those fields.

UUID / GUID

UUID v4: Standard random UUID from crypto.randomUUID() (version 4, RFC 4122 / RFC 9562).
UUID v4 uppercase: The same random UUID rendered in uppercase.
UUID v7 (sortable): Time-ordered UUID with a 48-bit Unix millisecond timestamp followed by random bits (RFC 9562). Values generated in sequence sort chronologically, which makes them well suited to database primary keys and indexes.
GUID (braced): An uppercase UUID wrapped in curly braces, e.g. {XXXXXXXX-XXXX-...}, matching the Microsoft/.NET registry style.
Nil UUID: The all-zero UUID 00000000-0000-0000-0000-000000000000, useful as a placeholder or sentinel value.

Sortable / database IDs

ULID: A 26-character Crockford Base32 identifier: a 48-bit millisecond timestamp plus 80 bits of randomness. Lexicographically sortable, case-insensitive, and URL-safe.
MongoDB ObjectID: A 24-character hexadecimal ID built from a 4-byte seconds timestamp and 8 random bytes, matching the shape of MongoDB document IDs.
Snowflake ID: A 64-bit numeric ID (returned as a decimal string) combining a millisecond timestamp with random low bits, in the style of Twitter/Discord Snowflakes.

Random strings

NanoID style: Compact URL-safe random identifiers using the A–Z, a–z, 0–9, -, and _ alphabet, sized by the Length field.
Base58 token: Random strings using the Bitcoin/Base58 alphabet, which omits visually ambiguous characters (0, O, I, l).
URL slug: Lowercase URL-friendly strings using letters, numbers, and hyphens.
Numeric PIN: Random numeric codes of the chosen length.
Random string: Random values drawn from your own custom character set and length.

Hash Generator

The Hashes tab creates message digests from text input.

Algorithms: SHA-1, SHA-256, SHA-384, and SHA-512.
Format: Output as hexadecimal, Base64, or Base64URL.
Salt placement: Use no salt, salt before text, salt after text, or salt before and after text.
New salt: Generates a random salt for the hash input.

SHA-1 is included for compatibility checks and should not be used for new security-sensitive designs.

Secret Strength Analyzer

The Analyzer tab estimates the strength of a pasted value.

Length: Counts total characters.
Unique characters: Counts distinct characters used.
Detected groups: Reports uppercase, lowercase, numbers, symbols, and whitespace.
Estimated entropy: Calculates a rough entropy value based on length and detected pool size.
Rating: Labels the value as weak, good, strong, or excellent.
Warnings: Flags short values, low entropy, repeated character runs, common weak words, and whitespace.
Analyze latest output: Pulls the latest generated secret-like value into the analyzer.

Crypto Tools

The Crypto Tools tab contains browser-based helpers for signatures, key pairs, QR codes, exports, and text transforms.

HMAC Generator: Signs a message with a secret using SHA-256, SHA-384, or SHA-512.
HMAC output formats: Hexadecimal, Base64, and Base64URL.
Key Pair: Generates RSA-PSS 2048-bit or ECDSA P-256 key pairs and exports them as PEM.
QR Code: Renders entered text, or the latest generated value, as a QR code.
Export Format: Converts generated output to JSON, YAML, CSV, or environment variable style.
Text Transform: Converts text to Base64, Base64URL, hexadecimal, or URL-encoded output.

Advanced Tools

The More tab contains compact generators for common developer secrets.

Salt Generator: Creates random salts in hex, Base64, or Base64URL.
API Tokens: Creates bearer tokens or prefixed values such as sk_, pk_, or api_.
TOTP Secret: Creates Base32 authenticator secrets and an otpauth:// URI.
.env Bundle: Creates a set of common application secrets for app configuration.

Output Actions

Most output panels include the same action buttons.

Copy: Copies the current output field to the clipboard.
Download: Saves the current output as a text file.
Clear: Clears the current output field.
Clear all: The trash button in the header clears all output fields.
Entropy preview: The visual stream redraws after random generation events and shows the most recent generator type and rough size.

Security Notes

Generated values are created client-side in the browser.
Use HTTPS or localhost for best browser crypto and clipboard support.
Do not reuse production secrets across environments.
Store secrets in a dedicated secret manager when possible.
JWT HMAC secrets should be high entropy and long enough for the selected algorithm.
Encryption keys should be stored separately from encrypted data.
Hashing is not password storage. Use purpose-built password hashing systems such as Argon2, bcrypt, scrypt, or PBKDF2 in production applications.
QR codes can expose sensitive values visually. Only render QR codes in trusted settings.