JWT Secret Strength
Check a JWT signing secret for length, entropy, and known weak values.
🔒 Secrets are analysed entirely in your browser.
How strong should a JWT secret be?
RFC 7518 says HMAC keys should be at least as long as the hash output: 32 bytes for HS256, 48 for HS384, 64 for HS512. In practice, treat 32 random bytes as the minimum and 64 as comfortable.
Always generate the secret with a CSPRNG — never use a phrase you could type. Password Generator with 64 chars or UUID v4 are both fine sources.
You might also like
- JWT BuilderBuild a JWT — set headers, claims, and sign with HS256/384/512 entirely in your browser.
- Password Strength CheckerEstimate the strength of a password — entropy, crack time, and what's making it weak.
- Hashing Snippet GeneratorMD5 / SHA-1 / SHA-256 / SHA-512 / HMAC-SHA256 snippets in Node, browser, Python, PHP, Ruby, Go, Rust, and shell.
- HMAC CalculatorCompute HMAC-SHA1, SHA-256, SHA-384, or SHA-512 over a message and secret — for API signing or message auth.