Node.js generated JWT secret, nanoid() vs crypto.randomBytes() which is stronger

Nanoid doesn't seem to be made for this - it generates an ID not a key. Just generating 32 secure random bytes is fine for HMAC/SHA-256 - presuming you are OK with keeping it in software of course, but that's generally OK for tokens. Don't confuse hex / base 64 with the bytes that are encoded using them.

@MaartenBodewes do I understand correctly that decoded secret from .randomBytes() has higher entropy than secret generated from 64 alphabet characters? (e.g. decoded secret: �txK�:O�>�o/2�L�Q�B� has characters like ">" "/" and some that aren't represented in utf-8 e.g. �) so its harder to theoretically brute force it?

That depends what is encoded by those characters. Nanoid seems to encode 126 bits of random bits from the same crypto module. For HMAC/SHA-256 you'd normally use a 256 bit / 32 byte key, and larger key sizes are unnecessary. `crypto.randomBytes` should normally use the RNG of the OS which is fine. Not sure about the exact entropy in there, but on a correctly configured system I'd expect 128 bits *minimum*. Entropy is always a bit of a laden term when it comes to PRNG's and - sorry - JavaScript / NodeJS documentations is terrible so you'd have to look into the source code to be sure.

@MaartenBodewes got it, thanks a lot.

I sit in a Tesla and translated this thread with Ai: