I’ve looked at three top search results on JWT talking about “the” secret, but say nothing about where this secret should come from, whether it might be a shared secret, whether it should be base64-encoded and if not, whether it ought to be hex, an ASCII password, a raw binary random number, or something else.

One page suggests that the web browser should not know the secret; another eventually suggests that a 48-bit secret is too short.

Maybe it’s obvious to you security gurus, but for the rest of us, please give guidelines.