VAPID Key Generator

Generate secure VAPID public and private keys for Web Push notifications in your browser. Copy Voluntary Application Server Identification key pairs, JWKs, and .env

Generate VAPID key pairs for Web Push entirely in your browser. Nothing ever leaves this page.

Key pair (JSON)

Copy both keys together and import them wherever your backend expects a JSON blob.

.env snippet

Copy & paste directly into your environment file or secrets manager.

JSON Web Keys (JWK)

Some libraries expect keys in JWK format. Copy them directly below.

Public JWK

Private JWK

Usage tips

Follow these best practices when wiring VAPID keys into Web Push.

Store the private key only on trusted servers or secret managers, never in client-side code.
Share the public key with your service worker via environment variables or query params.
Regenerate a key pair whenever you suspect a leak—existing subscriptions will keep working with the new keys.
Use libraries like web-push or @aws-sdk/client-sns to sign outgoing notifications.
Keep an audit trail of when keys were generated and by whom to simplify future rotations.

Other Coding Tools

VAPID Key Generator Tool

Our VAPID Key Generator creates standards-compliant Web Push key pairs directly inside your browser. You receive base64url strings, JSON Web Keys, and ready-to-use .env snippets without transmitting any data to servers.

What is a VAPID key?

A Voluntary Application Server Identification (VAPID) key pair authenticates your Web Push service with browsers. The public key is shared with your service worker and push subscription, while the private key signs outgoing notifications from your backend.

Why generate VAPID keys online?

Generating VAPID keys online with a browser-based tool removes the need for CLI utilities. Our tool calls the SubtleCrypto API locally, so you can produce fresh keys on any platform in seconds.

Are VAPID keys secure in this tool?

Yes. All cryptographic operations run client-side using the Web Crypto API. Nothing is uploaded or logged. Refreshing the page discards previously created keys.

How do I export VAPID keys?

After generation, copy the base64url strings into environment variables or download the JWK JSON objects. The tool also renders an .env snippet for quick sharing with your backend configuration.

Can I regenerate new keys?

Absolutely. Click “Generate new keys” whenever you need to rotate credentials. Existing push subscriptions continue working as long as you update the server-side signing keys.

What browser support is required?

You need a browser with SubtleCrypto support (all modern Chromium, Firefox, and Safari versions). If your browser lacks support, the tool will inform you immediately.

What formats are provided?

The tool exports base64url-encoded keys for quick .env usage plus JSON Web Key (JWK) objects for libraries that require structured metadata such as kty, crv, and x values.

Can I use these keys with the `web-push` library?

Yes. Paste the generated base64url keys into webPush.setVapidDetails() or similar helper functions. The output matches the format expected by popular Node.js and serverless SDKs.

Do the keys expire?

No. VAPID keys remain valid until you rotate them. However, best practice is to periodically regenerate keys and revoke older ones if compromise is suspected.

How do I keep the private key safe?

Store the private key in a secret manager or encrypted environment variable accessible only to your server-side notification service. Never expose it to client-side code or public repositories.

Can multiple projects share one VAPID key pair?

They can, but it’s better to create unique key pairs per project or environment. This prevents cross-application impact if a single key is leaked and improves auditability.