What Is a JWT Secret Key?
A JWT Secret Key is a private key used to sign and verify tokens. It sits entirely on your server and is never exposed to users — think of it as the master password that makes your entire JWT authentication system trustworthy. If this key falls into the hands of an unauthorized person, they could create fake tokens.
To understand exactly how the secret key is used inside the token, see our guide on what actually happens inside a JWT.
Does the Secret Key Have an Expiry Date?
So Why Is It Necessary to Replace It?
Even though it doesn't expire, it's important to replace it periodically for security reasons. The longer a key stays unchanged, the larger the window of risk if it ever gets compromised without you knowing. Main reasons to rotate:
- To maintain strong security over time
- In case the key is leaked — intentionally or accidentally
- To update an old system that may have been using the same key for years
How Often Should You Change Your Secret Key?
There's no single fixed rule, but these general guidelines work well for most applications:
| Situation | Recommended Frequency | Priority |
|---|---|---|
| Normal use (standard apps) | Every 3–6 months | Medium |
| High-security applications | Every 1–3 months | High |
| Suspected key leak or breach | Immediately | Urgent |
Suppose you created a secret key and didn't change it for 1 year. If someone got hold of the key during that time, they could access your system for a long time — and you'd have no way to stop them without changing the key.
But if you change the key every 3 months, the risk window is much smaller. Even if a key is compromised, the damage is limited to just that short period.
What Is Key Rotation?
The process of periodically changing a secret key is called Key Rotation. This is a widely recognized good security practice — even recommended by OWASP's JWT security guidelines.
How to Perform Key Rotation
The key thing here is to do it gradually so you don't log out all your users at once. Follow these simple steps:
- Generate a new Secret Key — use a cryptographically secure method like
crypto.randomBytes(64) - Allow both the old and new keys for a while — this gives existing users time to refresh their tokens without being suddenly kicked out
- Gradually remove the old key — once enough time has passed and most users have received new tokens, retire the old key completely
JWT Expiry vs. Secret Key — What's the Difference?
Many developers confuse these two. They are completely separate things — understanding the difference helps you design better authentication flows:
| Concept | What It Controls | Typical Duration |
|---|---|---|
JWT Expiry (exp) |
When an individual token becomes invalid | Minutes to hours (e.g. 15 min, 1 hr) |
| Secret Key | The key used to sign and verify all tokens | Months (until you manually rotate it) |
The token may expire quickly, but the key may last for months. Both need to be managed — but separately, with different strategies.
Things to Keep in Mind
- The secret key should always be strong — long and random. See our article on why Math.random() should never be used for JWT secrets
- Never hardcode it in your source code
- Store it in a
.envfile or secure vault (e.g. AWS Secrets Manager, HashiCorp Vault) - Consider existing users when changing the key — use gradual rotation to avoid sudden logouts
Best Practices (Quick List)
- Use short-expiry tokens — keep individual JWT tokens short-lived (15–60 minutes)
- Perform regular key rotation — every 3–6 months for most apps
- Replace keys immediately if compromised — don't wait
- Ensure logging and monitoring — track unusual authentication activity so you notice a breach faster
The Bottom Line
JWT secret keys do not expire, but keeping them the same for a long time is not a good idea. If you want to keep your application secure, it is essential to change the secret key periodically.
- JWT secret keys have no built-in expiry — they last until you manually change them
- Rotate every 3–6 months for normal apps, every 1–3 months for high-security apps
- If the key is leaked — change it immediately, no waiting
- Use gradual rotation to avoid logging out all users at once
- Always keep the key strong, long, and stored securely in environment variables
🔐 Ready to generate a fresh, secure JWT secret key for rotation? Use jwtsecretkeygenerator.com — free, instant, cryptographically secure, and never stored on any server.
Frequently Asked Questions
How long does a JWT secret key last?
A JWT secret key has no fixed expiry date — it stays valid until you manually change it. However, security best practices recommend rotating it every 3 to 6 months for normal applications, every 1 to 3 months for high-security apps, and immediately if you suspect it has been leaked or compromised.
What is JWT key rotation?
JWT key rotation is the process of periodically replacing your old secret key with a new one. The safe way to do it is to: generate a new key, temporarily support both old and new keys so existing tokens stay valid, then gradually phase out the old key once all users have refreshed their tokens.
What is the difference between JWT expiry and JWT secret key?
JWT expiry (the 'exp' claim inside the token) controls how long an individual token is valid — typically minutes to hours. The JWT secret key is a separate server-side key used to sign and verify tokens — it does not expire automatically and can last for months unless you rotate it manually.
What happens when you change a JWT secret key?
When you change a JWT secret key, all previously issued tokens signed with the old key become invalid immediately. This means all currently logged-in users will be logged out and will need to log in again to receive a new token signed with the new key. This is why gradual key rotation — supporting both keys temporarily — is recommended.
