Безопасно ли генерировать секретные ключи онлайн?

Да, полностью безопасно. Генерация происходит в браузере с помощью Web Crypto API — стандарта W3C. Ключ никогда не отправляется на сервер и не сохраняется. Проверить это легко: откройте вкладку «Сеть» в DevTools и нажмите «Новый ключ» — сетевых запросов не будет.

Какую длину ключа выбрать для 1С-Битрикс SEOWRITER_API_KEY?

Рекомендуем 256 бит в формате Hex — это 64 символа. Такой ключ обеспечивает надёжную защиту эндпоинта seowriter.php от несанкционированного доступа.

Какую длину выбрать для JWT?

Для HS256 — минимум 256 бит, для HS384 — 384 бита, для HS512 — 512 бит. Выберите платформу JWT в генераторе — нужный алгоритм автоматически выставит правильную длину ключа.

Чем отличается формат Hex от Base64?

Hex использует символы 0-9 и a-f. Строка в 2 раза длиннее в байтах, но содержит только «безопасные» символы. Base64 компактнее — используется в JWT и Laravel APP_KEY. Base64url — вариант без +, / и = (безопасен для URL параметров). Алфавитно-цифровой — только буквы и цифры, удобен для WordPress и Django.

Можно ли использовать один ключ для нескольких проектов?

Нет. Каждый проект, каждый сервис и каждая переменная должны иметь уникальный ключ. Если один ключ будет скомпрометирован, остальные системы останутся в безопасности.

Нужно ли менять ключ при смене хостинга?

Нет, если ключ не был скомпрометирован. При переезде просто скопируйте файл seowriter.php вместе с ключом на новый сервер и убедитесь, что в SEO Writer указан тот же ключ. Менять его нужно только если ключ попал в чужие руки — например, был случайно опубликован в git.

Сколько ключей нужно для WordPress?

WordPress требует 8 уникальных ключей безопасности: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY и 4 соли к ним. Выберите платформу WordPress, количество 10, и используйте кнопку «Скачать wp-keys.txt» — файл будет содержать все 8 констант с уникальными ключами.

Secret Key Generator

Cryptographically secure key generation for Bitrix, JWT, WordPress, Django and Laravel. Works in browser — keys never leave your device.

Platform

Key length

Format

Number of keys

Strong · 256 bits

Never leaves browser

ca42ac47cc66193c773e6d1f169b0d7cf225e48fae7049a87ef9b07733b4cf22

seowriter.php

define('SEOWRITER_API_KEY', 'ca42ac47cc66193c773e6d1f…');

Secret key for seowriter.php. Must match the «Secret key» field in site settings in SEO Writer.

What is a secret key and why you need one

A secret key is a long random string of characters used for cryptographic operations: signing tokens, encrypting data, and authenticating requests between servers. Unlike a password, a secret key is never typed manually — it lives only in config files and environment variables.

Key length is measured in bits. More bits means higher entropy and greater resistance to brute-force attacks. The modern standard for most tasks is 256 bits (32 bytes). JWT with HS512 requires 512 bits.

A secret key is what protects your Bitrix site when integrating with SEO Writer: only a server with the correct key can publish articles through the seowriter.php endpoint.

Using with 1C-Bitrix

When connecting a Bitrix site to SEO Writer you upload a seowriter.php file to your site root. This file is the bridge between SEO Writer and Bitrix. A secret key protects it from unauthorized access — the same key must be set in both the file and the SEO Writer connection settings.

Select 1C-Bitrix in the generator above
A 256-bit Hex key is already generated — click Copy
Paste the key into seowriter.php:
// seowriter.php
define('SEOWRITER_API_KEY', 'your_64_char_hex_key');
Upload the file to your server root (next to index.php)
In SEO Writer site settings paste the same key into the Secret key field and click Test connection

Important: if you change the key in one place you must update it in both. A mismatch will cause a "401 Unauthorized" error during publishing.

Using for JWT

JSON Web Token (JWT) is a standard for securely transmitting data between systems using a digital signature. HMAC algorithms (HS256/HS384/HS512) use a symmetric key — the same key signs and verifies tokens. The key length must be at least as long as the algorithm's hash output.

Algorithm	Min. length	Recommended format
HS256	256 bits (32 bytes)	Base64url
HS384	384 bits (48 bytes)	Base64url
HS512	512 bits (64 bytes)	Base64url

# .env file
JWT_SECRET=your_base64url_key
JWT_ALGORITHM=HS256

Using with WordPress

WordPress uses 8 unique security keys defined in wp-config.php. They protect login sessions, cookies, and nonce tokens.

Select the WordPress platform, set count to 10, then click Download wp-keys.txt — you get a ready-made file with all constant names pre-filled.

// wp-config.php
define('AUTH_KEY', 'key_1');
define('SECURE_AUTH_KEY', 'key_2');
// ... and 6 more keys

Django & Laravel

Django SECRET_KEY

Django uses SECRET_KEY to sign sessions, CSRF tokens, and passwords. Recommended: 50+ characters in alphanumeric or Hex format.

# settings.py
SECRET_KEY = 'your_key'

Laravel APP_KEY

Laravel requires exactly 32 bytes (256 bits) in Base64 format with a mandatory base64: prefix.

# .env
APP_KEY=base64:your_base64_key

Why you can't make up a key manually

Humans are poor random-number generators. We unconsciously rely on patterns: birthdays, favorite words, repeated characters. Even when a key looks random, its actual entropy is far below the theoretical maximum.

A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) draws from physical entropy sources in the OS — mouse movement, keyboard interrupts, thermal noise. The browser's Web Crypto API (the crypto.getRandomValues() method) is exactly that — a W3C-standard CSPRNG available in every modern browser: Chrome, Firefox, Safari, Edge.

Neither the SEO Writer server nor any third-party service is involved in generation. You can verify this yourself: open the Network tab in DevTools and click "New key" — you will see zero network requests.

Requirements for secure secret keys

✓At least 128 bits — Minimum threshold for any use case. For production — 256+ bits.
✓Entropy from a CSPRNG — Not md5 of a timestamp, not a hash of a password — only a cryptographically secure RNG.
✓Unique per service — One key = one service. Never reuse keys across projects.
✓Stored only in a secure location — .env file, environment variables, or a secrets manager. Never commit to git.
✓Rotate on compromise — If the key is exposed — rotate immediately and update every place it is used.

Frequently asked questions

Is it safe to generate keys online?

Yes. Generation happens in your browser via the Web Crypto API — the key is never sent to any server. Open DevTools → Network tab → click "New key": you will see zero network requests.

What length should I choose for the Bitrix SEOWRITER_API_KEY?

256 bits in Hex format (64 characters). Sufficient for strong authentication and easy to paste manually.

Which JWT algorithm — HS256 or HS512?

HS256 is enough for most use cases. HS512 is only needed if your security requirements explicitly mandate a stronger algorithm — it's 30–40% slower but not meaningfully more secure when keys are the correct length.

What is the difference between Hex and Base64url?

Hex is longer (256 bits = 64 characters) and uses only 0-9 and a-f. Base64url is more compact (256 bits = 43 characters without padding) and has no special characters — safe for URLs. Use Hex for Bitrix and Django, Base64url for JWT and Laravel.

How many keys does WordPress need?

8 keys: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY and 4 salts. Select WordPress + count 10 → "Download wp-keys.txt" — you get a ready file with all constant names.

Do I need to change the key when switching hosting?

No, unless the key was compromised. Just copy the config file to the new server. Only rotate if the key was exposed — for example, accidentally committed to git.

Can I use one key for multiple projects?

No. Each project needs a unique key. If one key is compromised, the others remain safe.

Need to auto-publish SEO articles?

SEO Writer generates articles with AI and publishes them to WordPress, 1C-Bitrix, InSales, and Joomla — fully automated. 7-day Pro trial free, no card required.

Try for free →