Secret Key Generator

Key Length by Algorithm

Different cryptographic algorithms require specific key sizes. AES-128 needs 16 bytes (128 bits); AES-256 needs 32 bytes. HMAC-SHA256 works with any key length but 32 bytes (256 bits) is recommended to match the hash output size. JWT HS256 secrets should be at least 32 bytes; HS512 at least 64 bytes. ChaCha20-Poly1305 uses 32-byte keys. Session secrets for web frameworks (Express, Django) should be at least 32 bytes of random data. When in doubt, 32 bytes (256 bits) is a safe default for most symmetric key applications — it provides security well beyond what current and foreseeable computing power can attack.

Hex vs Base64 Encoding

Secret keys are raw bytes — hex and Base64 are just two ways to represent the same bytes as text for storage and transmission. Hex uses 2 characters per byte (a 32-byte key = 64 hex characters). Base64 uses approximately 1.33 characters per byte (a 32-byte key = 44 Base64 characters). Choose the format your library or framework expects. Most Node.js crypto functions accept hex strings directly. JWT libraries often expect Base64url-encoded secrets. When a framework says "provide a 256-bit secret," you can generate 32 random bytes and encode them in whichever format the library accepts — the underlying key material is identical.

Storing Secret Keys Safely

Secret keys must never be committed to source control — even in private repositories. Use environment variables for runtime access, injected by your deployment platform (Vercel environment variables, AWS Secrets Manager, Doppler, or similar). For local development, use a .env file excluded via .gitignore. Rotate keys if there's any possibility of exposure — rotate first, investigate second. Different keys for different environments (development, staging, production) prevent a compromised development key from affecting production. Key rotation capability should be built into your architecture before you need it.