home / secret
secretgenerator · secret
Machine-to-machine secret generator
Raw bytes from the OS CSPRNG, encoded as URL-safe base64 without padding. Default 32 bytes (256 bits) — the right shape for JWT signing keys, opaque API tokens, session IDs, and seed material. No charset to argue about, just bytes.
defaults
| bytes | 32 (256 bits) |
| encoding | URL-safe base64, no padding |
| min entropy | 128 bits (NIST 800-131A target) |
| algorithm | crypto/rand + base64url |
generate
runs in your browser · WebAssembly · same code as the CLIcli
Default 32 bytes
secretgenerator secret --json
Prefixed for environment variables
secretgenerator secret --prefix "JWT_" --json
64 bytes for HMAC-SHA-512 keys
secretgenerator secret --bytes 64 --json
snippets
Python generate_secret.py
import secretgenerator_py as sg result = sg.secret(bytes_=32) print(result["password"], "—", result["entropy_bits"], "bits")
Node.js generate-secret.mjs
import { execFileSync } from "node:child_process";
const json = execFileSync("secretgenerator", [
"secret", "--json", "--require-schema-version=1",
"--bytes", "32"
], { encoding: "utf8" });
const out = JSON.parse(json);
console.log(out.password, "—", out.entropy_bits, "bits"); Rust main.rs
use secretgenerator::{secret, SecretOptions};
let r = secret(SecretOptions::default().bytes(32))?;
println!("{} ({:.1} bits)", r.password, r.entropy_bits);
# Ok::<_, secretgenerator::Error>(()) faq
Why base64url and not hex?
Same entropy in fewer characters (43 vs 64 for 32 bytes), URL-safe, and matches the encoding used by JWT, OAuth, and most modern APIs. If you need hex, pipe through xxd or shasum.
Is 32 bytes enough?
Yes for almost everything. NIST SP 800-131A targets 128 bits of strength; 32 bytes (256 bits) gives a 2× safety margin. Use 64 bytes for HMAC-SHA-512 keys where the hash output size dictates the recommended key length.