Tangible Bytes

A Web Developer’s Blog

Jwt Secret

JWT uses secrets which are stored securely

This secret is used to sign (opr encrypt) the token - and then the token can be validated using this secret. If the secret is shared between multiple servers - the token can ba validated on any of them.

The secret can change over time (at which point any previous tokens expire) and should be different in each environment eg there is no need to have the same secret in staging and production as token should not be valid across these.

It hasn’t been especially clear to me how a new token is best generated.

I’m using strapi which generates token for a new install like so

const generateASecret = () => crypto_1.default.randomBytes(16).toString('base64');

And as far as I can tell the JWT secret should be a randomly generated, base64 encoded, string

The length of the string seems to be a balance where longer is more secure but more computationally expensive.

Recommendations seem to vary between a length of 16 and 64

To generate a 32 char secret via bash

openssl rand -base64 32