Random Token Generator

About This Tool

The Secure Random Token Generator uses the browser's crypto.getRandomValues API to generate cryptographically random byte arrays, then encodes them in your chosen format.

Unlike Math.random(), crypto.getRandomValues produces entropy suitable for security tokens, API keys, session identifiers, and nonces. All generation happens locally in your browser.

How to Use

1. Select an output format. Hex is the most portable; URL-safe Base64 avoids URL-unsafe characters.
2. Choose the number of bytes of entropy. 32 bytes (256 bits) is recommended for most security use cases.
3. Set the count to generate multiple tokens at once (e.g., for batch API key creation).
4. Click Generate and copy individual tokens or all at once.

Use Cases

Developers generate API keys for REST APIs. Back-end engineers create CSRF tokens, session identifiers, or password reset nonces. DevOps teams generate webhook secrets for GitHub, Stripe, or other services.

FAQ

• How many bytes should I use? — 16 bytes (128 bits) is the minimum for security tokens. 32 bytes (256 bits) is recommended for long-lived API keys. 64 bytes (512 bits) is overkill but harmless.
• What is the difference between hex and URL-safe Base64? — Hex uses only 4 bits per character (2× longer output). URL-safe Base64 uses 6 bits per character and replaces + and / with - and _, making it safe for URLs and filenames without percent-encoding.
• Is this truly random? — Yes. crypto.getRandomValues is backed by the OS's cryptographically secure pseudorandom number generator (CSPRNG), the same source used by security software.