~/envtools
.env · create🔥 popular

Secret Generator

Generate cryptographically strong secrets for JWT, API keys, session tokens, and passwords. All client-side.

Be the first to rate
generated locally with crypto.getRandomValues
JWT Secret (base64url, 48 bytes)
NextAuth, JWT, NEXTAUTH_SECRET
JWT Secret (base64url, 64 bytes)
HS512 / maximum entropy
API Key (hex, 16 bytes)
Short API tokens
API Key (hex, 32 bytes)
Standard API tokens
Session Secret (base64url, 32 bytes)
Express sessions, CSRF
Password (20 chars, symbols)
DB passwords, admin accounts
Password (32 chars, symbols)
High-security accounts
Password (16 chars, no symbols)
Shell-safe, URL-safe

What it does

  • JWT secrets (base64url, 48+ bytes)
  • Hex-encoded API keys and session tokens
  • Human-safe passwords with configurable charset
  • Uses browser crypto.getRandomValues — nothing leaves your machine
  • One-click copy

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

Usage examples

Case 1 · JWT secret (base64url)
preset: JWT (48 bytes, base64url)
V8dG3mSvDk2xR6Lq9JjYwP3fNcKzHa_X5tUe7bM1pQs4rYvTi0oFgB_cE8AyWzLx
Case 2 · API key (hex)
preset: API key (32 bytes, hex)
a3f1c9d8e4b7a2f6c1d8e4b7a2f6c1d8e4b7a2f6c1d8e4b7a2f6c1d8e4b7a2f6
Case 3 · Human password
preset: password (20 chars, symbols)
x7$Kp!qW2@mR8hLn&dV

When to use this tool

  • Rotating JWT_SECRET / NEXTAUTH_SECRET after a suspected leak
  • Bootstrapping a new project that needs session/CSRF secrets
  • Generating a database password for a new service account
  • Creating an internal API token with strong entropy
  • Replacing hand-typed secrets in a legacy .env

Common mistakes

  • Regenerating a secret in prod without updating every service that depends on it (sessions will invalidate)
  • Using a 16-byte secret where the spec needs 32+ (e.g. HS512 JWTs)
  • Trusting the generated password for critical accounts without also enabling 2FA
  • Keeping the generated value in browser history or sharing screenshots

Random Secret Generator

Generate cryptographically strong secrets with crypto.getRandomValues — the same primitive Node.js, Django, and Rails use internally. Perfect for JWT_SECRET, NEXTAUTH_SECRET, SESSION_SECRET, APP_KEY, and API tokens.

Why not just mash the keyboard?

Because predictable secrets get brute-forced. JWTs signed with a weak secret can be cracked in minutes. Every secret this tool produces has full 256-bit entropy (or more) and is generated locally in your browser — never sent or logged.

Related tools

ENV Generator
Stack-aware .env boilerplates
ENV Validator
Paste .env, catch every bug
ENV Leak Checker
Detect leaked secrets in seconds

Learn more

guide · 8 min
10 .env best practices every team should follow
Battle-tested rules for .env files: what to commit, what to rotate, how to structure secrets across dev, staging, and production, and the common mistakes that cause outages.
guide · 5 min
Hide .env from git (and recover if committed)
Step-by-step: keep .env out of git from day one, and what to do when a secret leaks into your commit history. Includes rotation checklist.
coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.