100% client-side — verify in your network tab

Django SECRET_KEY Generator

The exact 50-character output of Django's own get_random_secret_key().

$ python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'

What Django actually generates

This page reproduces django.core.management.utils.get_random_secret_key() byte for byte: 50 characters drawn from the alphabet abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+). Note what is not in that set — no uppercase letters. Django's own charset is lowercase-only, and a generator that emits mixed case is not producing a Django key, just a key that happens to work. The result carries about 282 bits of entropy, which is far more than anything in Django needs, and that is fine: the cost of extra length here is zero.

The bias trap

That alphabet has 50 characters, and 50 does not divide 256. A generator that takes a random byte and reduces it modulo 50 makes the first six characters of the alphabet measurably more likely than the rest. Django avoids this because secrets.choice uses rejection sampling internally; this page avoids it the same way, drawing again whenever a value falls outside a clean range. It is a small detail that most online generators get wrong, and it is exactly the kind of thing you cannot see by looking at the output.

Using it

Put the value in an environment variable and read it in settings.py — never commit it. If you generated your project with django-admin startproject, your current key starts with django-insecure-: that prefix is a deliberate marker, and manage.py check --deploy will warn about it until you replace the key. Paste the bare 50 characters from this page, without any prefix. Rotating the key invalidates every session and every password-reset link that is currently outstanding, so do it deliberately.

Is this exactly what Django generates?

Yes. It reproduces get_random_secret_key() byte for byte: 50 characters from Django's own lowercase-only alphabet. A generator that emits uppercase letters is not producing a Django key — it works, but it is not the same thing.

Why does my key start with django-insecure-?

Because django-admin startproject added that prefix deliberately, to mark a key that was generated for local development and committed to your repository. manage.py check --deploy warns about it until you replace it. Paste the bare 50 characters from this page, with no prefix.

What breaks if I rotate SECRET_KEY?

Every active session is invalidated and every outstanding password-reset link stops working, because both are signed with it. That is exactly what you want after an exposure, but it means logging everyone out — so rotate deliberately, not casually.

Nothing leaves your browser

More free generators

Guides