Server Secret Generator
Generate secure server keys for S2S APIs, webhooks, JWT, sessions, encryption, and PKCE.
Unlimited | No signup | Client-side by default
Quick picks
Auto-generated secrets. Refresh until you find one you like, then copy.
Use 64 bytes instead of 32.
Advanced options
How to use (Node.js)
Use for private service to service calls between backends. The generator is already configured to this preset.
const apiKey = process.env.S2S_PRIVATE_API_KEY;
if (req.headers["x-api-key"] !== apiKey) {
res.status(401).end();
}Server-to-Server (S2S) API Key Generator
Use a private API key for internal services and backend to backend calls. Rotate it on a schedule.
Default: 32 bytes, base64url.
Webhook Signing Secret Generator (HMAC-SHA256)
Use an HMAC SHA256 secret to verify webhook signatures and reject tampered payloads.
Default: 32 bytes, base64url.
JWT Secret Generator (HS256)
Generate a strong HS256 secret for JWT signing when a single service owns the key.
Default: 32 bytes, base64url.
JWT Keypair Generator (RS256 / ES256)
Generate RS256 or ES256 JWT keypairs for public verification and safer key distribution.
Default: ES256 (P-256) keypair.
AES-256-GCM Key Generator
Generate 32 byte keys for AES-256-GCM encryption. Always use a unique nonce.
Default: 32 bytes, base64url.
XChaCha20-Poly1305 Key Generator
Generate 32 byte keys for XChaCha20-Poly1305 using libsodium or compatible libraries.
Default: 32 bytes, base64url.
OAuth PKCE Verifier + Challenge Generator
Generate a PKCE verifier and S256 challenge for OAuth authorization flows.
Default: verifier length 64 chars, S256 challenge.
Security notes
- - Client-side generation uses crypto.getRandomValues.
- - No localStorage, cookies, or persistence.
- - Server fallback responses are no-store when used.
Generated locally using Web Crypto when possible.
No secrets stored.