TL
Tool Lab
πŸ’°Donate
πŸ’°Donate

Secret Key Generator

Generate AES, HMAC-SHA, and JWT secret keys using the browser crypto API.

Key Type
Output Format
256 bits Β· 32 bytes Β· 32-byte symmetric encryption key (recommended)

About This Tool

The Secret Key Generator produces cryptographically secure random keys for common cryptographic algorithms. Select the algorithm type (AES-128, AES-256, HMAC-SHA-256, HMAC-SHA-512, JWT secrets, session secrets, or API keys), choose the output format (hex, Base64, or URL-safe Base64), and click Generate. The key is produced usingcrypto.getRandomValues, the browser's CSPRNG.

The key length matches the algorithm's specification exactly: AES-128 needs 16 bytes, AES-256 needs 32 bytes, HS512 needs 64 bytes. Nothing is sent to any server β€” key generation is entirely local.

How to Use

  1. Select the Key Type matching your use case.
  2. Choose the Output Format your application expects (hex is universal; URL-safe Base64 is common for environment variables).
  3. Click Generate Key.
  4. Copy the key and store it securely β€” use a password manager or a secrets manager like AWS Secrets Manager or HashiCorp Vault for production use.

Use Cases

Back-end developers generate AES-256 encryption keys for encrypting data at rest in databases. Node.js engineers generate HMAC-SHA-256 keys for signing webhook payloads. Express.js developers generate session secrets for express-session. API platform builders generate API keys to distribute to customers. Security engineers generate HS256 or HS512 secrets for JWT authentication in stateless APIs.

FAQ

  • Are these keys safe to use in production? β€” Yes, the keys are cryptographically random. However, always store keys securely using a secrets manager rather than hard-coding them in source code or committing them to git.
  • What is the difference between hex and URL-safe Base64? β€” Hex is 2Γ— longer but only uses 0-9 and a-f, making it easy to inspect. URL-safe Base64 is shorter but uses 64 characters (A-Z, a-z, 0-9, -, _) and is safe in environment variables and URLs.
  • Can I use the AES-256 key directly in code? β€” Yes. Copy the hex or Base64 string and parse it in your library (e.g., Buffer.from(key, 'hex') in Node.js) to get the raw bytes.
  • Is there a limit on how many keys I can generate? β€” No. Generate as many as needed. Each click produces a fresh, independent key.