About the Django & Flask Secret Key Generator
What is this tool?
Both Django and Flask rely on a SECRET_KEY: a long, random string the framework uses to sign session cookies, generate CSRF tokens, and secure other sensitive values. If this key is weak or exposed, those protections fall apart, so it needs to be genuinely random and kept private. This tool generates one using your browser's cryptographic random number generator, with presets that match what each framework expects.
The Django preset reproduces exactly what get_random_secret_key() produces: 50 characters drawn from Django's own alphabet. The Flask preset matches the common secrets.token_hex(32) recipe, and there are URL-safe and plain-hex options for other uses. Everything is generated locally with crypto.getRandomValues and never leaves your device, which matters a great deal for a value whose entire purpose is to stay secret.
How to Use This Tool
- Pick your framework. Choose the Django or Flask preset, or a generic URL-safe or hex format.
- Adjust if needed. Change the length for the charset formats, or generate several keys at once.
- Copy it. Copy a single key, or use the ready-made settings line shown below the list.
- Store it safely. Put the key in an environment variable or a secrets manager, never commit it to version control.
Frequently Asked Questions
How is the Django SECRET_KEY generated?
Django's get_random_secret_key() picks 50 characters at random from the set of lowercase letters, digits and a handful of symbols. This tool uses that exact alphabet and length by default, so the result is indistinguishable from what Django's own utility produces, just generated in your browser instead.
What should a Flask SECRET_KEY look like?
Flask does not mandate a format, but the documented recommendation is secrets.token_hex(), which gives 64 hexadecimal characters from 32 random bytes. The Flask preset here produces exactly that. A URL-safe token from secrets.token_urlsafe(32) is also fine.
Is it safe to generate a secret key on a website?
With this tool, yes, because the key is created entirely in your browser using the operating system's secure random source, and it is never transmitted or logged. You can even disconnect from the internet, generate the key, and copy it. That said, treat any key as compromised if you are unsure, and rotate it if in doubt.
Where should I store the SECRET_KEY?
Never hard-code it in a file you commit to Git. Store it in an environment variable and read it at runtime, or use a secrets manager. In Django, a common pattern is to read the key from the environment. This keeps the key out of your codebase and lets you use different keys per environment.
What happens if I change the SECRET_KEY?
Changing it invalidates anything signed with the old key: existing sessions are logged out and old password-reset or signing tokens stop working. That is exactly what you want if a key leaks. For a routine deployment, keep the key stable so users are not logged out unexpectedly.
How long should the key be?
Long enough to be effectively impossible to guess. Django's 50-character key and Flask's 32-byte (64-hex) key both provide well over 200 bits of entropy, which is far beyond any brute-force reach. Anything in that range is more than sufficient; there is no benefit to going shorter.