Generate a secret key for JWT?

11,374

Just expanding on @nodd13's post to I have used the following (in LinqPad) to randomly generate a key:

var key = new byte[32];
RNGCryptoServiceProvider.Create().GetBytes(key);
var base64Secret = Convert.ToBase64String(key);
// make safe for url
var urlEncoded = base64Secret.TrimEnd('=').Replace('+', '-').Replace('/', '_');

urlEncoded.Dump();

This is indeed random and as I understand it you only need to do this once and you can then store this in your web.config to be referenced later.

Share:
11,374
xaisoft
Author by

xaisoft

It's just a game.

Updated on June 16, 2022

Comments

  • xaisoft
    xaisoft over 1 year

    Currently I have a hard-coded secret key I use for my JWT Token Generation. What is the best way to generate this randomly when generating the token? Also, what I don't understand is if the secret is randomly generated, how can it be that the secret would be randomly generated again for authentication purposes. Am I missing something here or am I way off on how this works? It appears that the secret key is not even random. Is it something I would store in web.config for example

  • Imdad
    Imdad over 5 years
    Is it safe to be stored in the web.config for a web api 2 project?
  • Bernard Chen
    Bernard Chen almost 5 years
    Aren't the equal signs at the end of a base64-encoded string supposed to be there as part of the padding expected of base64 strings where the grouping of bits requires it?