Skip to content
BEAD

JWT Secret Strength

Check a JWT signing secret for length, entropy, and known weak values.

🔒 Secrets are analysed entirely in your browser.

</>Use this tool programmaticallycurl · JavaScript · MCP

Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.

curl
curl https://api.b-e-a-d.com/tools/jwt-secret-strength/run \
  -H "Content-Type: application/json" \
  -d '{
  "secret": "a"
}'
JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/jwt-secret-strength/run", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
  "secret": "a"
}),
});
const data = await res.json();
console.log(data.result);
MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
  "mcpServers": {
    "bead": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
    }
  }
}

# Then ask Claude to call:
mcp__bead__bead_jwt_secret_strength

Full reference: developer docs · OpenAPI spec

How strong should a JWT secret be?

RFC 7518 says HMAC keys should be at least as long as the hash output: 32 bytes for HS256, 48 for HS384, 64 for HS512. In practice, treat 32 random bytes as the minimum and 64 as comfortable.

Always generate the secret with a CSPRNG — never use a phrase you could type. Password Generator with 64 chars or UUID v4 are both fine sources.

You might also like