Secret Generator — SESSION_SECRET & API Keys

1. What does this tool do

This free online secret generator creates secret keys (e.g. SESSION_SECRET, API keys) as cryptographically random bytes in your browser. Choose byte length (1–512; 32 is common for SESSION_SECRET) and encoding (hex, base64, or base64url). Copy the result into your .env, config, or code. No sign-up, no server. All generation uses crypto.getRandomValues() (CSPRNG).

2. How to use it

Quick start: Set byte length (e.g. 32), choose encoding (Hex, Base64, or Base64 URL), click Generate secret, then copy.

1. Byte length — Enter 1–512. Common: 16 (128-bit), 32 (256-bit for SESSION_SECRET).
2. Encoding — Hex: 0-9a-f (2 chars per byte). Base64: standard; use for config. Base64 URL: URL-safe (no + or /); use for tokens in URLs.
3. Click Generate secret and copy the result.

3. How it works

All randomness comes from the Web Crypto API (crypto.getRandomValues()). The tool generates that many random bytes, then encodes them as hex, base64, or base64url. All computation is client-side; nothing is sent to a server.

4. Use cases & examples

• SESSION_SECRET — 32 bytes, hex or base64; copy into .env for iron-session, Express, or similar.
• API keys / tokens — Desired byte length; base64url for URL-safe tokens.
• Config / .env — Hex (64 chars for 32 bytes) or base64; paste into env vars.

Example

• 32 bytes hex → 64 hex characters (e.g. for SESSION_SECRET).
• 32 bytes base64 → ~44 characters; copy into .env.

5. Limitations & known constraints

• Byte length — Capped at 512 bytes per secret.
• Browser support — Requires crypto.getRandomValues(). Available in all modern browsers.
• No persistence — Generated values are not stored; copy them if you need to keep them.