What is a JWT Secret?

A short guide to the secret used for JWT signing and verification, and where it should live.

Quick answer

A JWT Secret is the server-side secret used to sign and verify JWTs. It is separate from the token payload and should never be exposed to the browser.

Generate a JWT Secret

What the secret does

When a JWT uses an HMAC-style algorithm, the JWT Secret is the shared key used to produce the signature. The server uses it to issue tokens and to verify tokens later.

Where it should live

Keep it in an environment variable or secret manager and read it only on the server. Putting it in `.env.local` is common, but never commit it to a public repository.

Do not send it to the browser
Do not hardcode it in source files
Do not reuse it casually across environments

Common misconception

The JWT payload is only for data, not for secret storage. Also, length alone is not enough: the value must be generated from strong randomness.

Related guides

How long should a JWT Secret be?

A practical baseline for size and entropy.

JWT Secret Generator

Create a ready-to-use secret in the browser.