JWT Secret Strength
Check a JWT signing secret for length, entropy, and known weak values.
🔒 Secrets are analysed entirely in your browser.
</>Use this tool programmaticallycurl · JavaScript · MCP
Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.
curl
curl https://api.b-e-a-d.com/tools/jwt-secret-strength/run \
-H "Content-Type: application/json" \
-d '{
"secret": "a"
}'JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/jwt-secret-strength/run", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
"secret": "a"
}),
});
const data = await res.json();
console.log(data.result);MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
"mcpServers": {
"bead": {
"command": "npx",
"args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
}
}
}
# Then ask Claude to call:
mcp__bead__bead_jwt_secret_strengthFull reference: developer docs · OpenAPI spec
How strong should a JWT secret be?
RFC 7518 says HMAC keys should be at least as long as the hash output: 32 bytes for HS256, 48 for HS384, 64 for HS512. In practice, treat 32 random bytes as the minimum and 64 as comfortable.
Always generate the secret with a CSPRNG — never use a phrase you could type. Password Generator with 64 chars or UUID v4 are both fine sources.
You might also like
- JWT BuilderBuild a JWT — set headers, claims, and sign with HS256/384/512 entirely in your browser.
- Password Strength CheckerEstimate the strength of a password — entropy, crack time, and what's making it weak.
- Hashing Snippet GeneratorMD5 / SHA-1 / SHA-256 / SHA-512 / HMAC-SHA256 snippets in Node, browser, Python, PHP, Ruby, Go, Rust, and shell.
- HMAC CalculatorCompute HMAC-SHA1, SHA-256, SHA-384, or SHA-512 over a message and secret — for API signing or message auth.