~/envtools
.env · create🔥 popular

Secret Generator

Generate cryptographically strong secrets for JWT, API keys, session tokens, and passwords. All client-side.

Be the first to rate
generated locally with crypto.getRandomValues
JWT Secret (base64url, 48 bytes)
NextAuth, JWT, NEXTAUTH_SECRET
JWT Secret (base64url, 64 bytes)
HS512 / maximum entropy
API Key (hex, 16 bytes)
Short API tokens
API Key (hex, 32 bytes)
Standard API tokens
Session Secret (base64url, 32 bytes)
Express sessions, CSRF
Password (20 chars, symbols)
DB passwords, admin accounts
Password (32 chars, symbols)
High-security accounts
Password (16 chars, no symbols)
Shell-safe, URL-safe

What it does

  • JWT secrets (base64url, 48+ bytes)
  • Hex-encoded API keys and session tokens
  • Human-safe passwords with configurable charset
  • Uses browser crypto.getRandomValues — nothing leaves your machine
  • One-click copy

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

Random Secret Generator

Generate cryptographically strong secrets with crypto.getRandomValues — the same primitive Node.js, Django, and Rails use internally. Perfect for JWT_SECRET, NEXTAUTH_SECRET, SESSION_SECRET, APP_KEY, and API tokens.

Why not just mash the keyboard?

Because predictable secrets get brute-forced. JWTs signed with a weak secret can be cracked in minutes. Every secret this tool produces has full 256-bit entropy (or more) and is generated locally in your browser — never sent or logged.

Related tools

ENV Generator
Stack-aware .env boilerplates
ENV Validator
Paste .env, catch every bug
ENV Leak Checker
Detect leaked secrets in seconds

Learn more

guide · 8 min
10 .env best practices every team should follow
Battle-tested rules for .env files: what to commit, what to rotate, how to structure secrets across dev, staging, and production, and the common mistakes that cause outages.
coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.