How long should a JWT Secret be?

A practical baseline for JWT Secret length, plus the parts that matter more than character count.

Quick answer

As a baseline, use at least 32 bytes of random data. Entropy and unpredictability matter more than raw character count.

Generate a JWT Secret

Practical baseline

For most HMAC-based JWT setups, 32 random bytes is a solid default. If you want extra headroom and your stack accepts it, 64 bytes is also fine. The key requirement is that the secret comes from cryptographically secure randomness.

openssl rand -base64 32

Why short secrets are risky

Short or word-based secrets are easier to guess and brute force. Avoid dictionary words, patterned strings, and reused values.

  • Avoid dictionary-only secrets
  • Do not embed names or dates
  • Do not reuse the same secret across unrelated systems

Operational tips

Keep separate secrets for development, staging, and production, and plan for rotation before you need it. If JWTs live for a long time, a clear rotation procedure matters just as much as secret length.

Related guides

What is a JWT Secret?

Start with the role of the secret itself.

JWT Secret Generator

Create a matching secret right away in the browser for JWT signing.