Secrets Generation Checklist: API Keys, Passwords, and JWT Secrets

Use a cryptographically secure random source

Never use Math.random(), timestamp-based seeds, or predictable sequences. Use crypto.getRandomValues() in browsers, crypto.randomBytes() in Node.js, secrets.token_bytes() in Python, or a generator like the one on this site that uses the browser's built-in CSPRNG.

Choose sufficient length

For passwords: minimum 16 characters from a full character set. For API keys: 32+ random bytes (encoded as 64 hex characters or ~43 Base64 characters). For JWT HS256 secrets: minimum 32 bytes (256 bits). For HS512: minimum 64 bytes.

Use a character set that fits the context

Human-typed passwords benefit from mixed case, digits, and symbols. Machine-generated API keys are best as hex or Base64url to avoid special characters that cause issues in URLs, shell scripts, and config files. Avoid ambiguous characters (0/O, l/1) in secrets that humans may need to type.

Never log secrets

Secrets must never appear in application logs, error messages, stack traces, or crash reports. Audit your logging configuration and redact or mask secret fields before shipping to log aggregators.

Store secrets in a secrets manager or environment variables

Hard-coded secrets in source code are a critical vulnerability. Use environment variables for local development and a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler, 1Password Secrets Automation) for production. Never commit .env files to source control.

Rotate secrets on a schedule

Rotate API keys and long-lived tokens periodically (every 90 days is a common baseline). Rotate immediately if a secret is suspected to be compromised. Design systems to support rotation without downtime by accepting both old and new secrets during a transition window.

Scope secrets to the minimum necessary permissions

An API key should only have access to the resources it needs. A read-only key cannot write data if it is compromised. Apply least-privilege to all secrets and service accounts.