Language
English English Vietnamese (Tiếng Việt) Vietnamese (Tiếng Việt) Chinese (简体中文) Chinese (简体中文) Portuguese (Brazil) (Português do Brasil) Portuguese (Brazil) (Português do Brasil) Spanish (Español) Spanish (Español) Indonesian (Bahasa Indonesia) Indonesian (Bahasa Indonesia)
Random Token Generator

Random Token Generator

Generate secure random tokens in Hex, Base64, Base64URL, alphanumeric, and custom formats for API keys, session tokens, and secrets.

Random Token Generator for Secure Keys and Secrets

A random token generator creates cryptographically secure random strings for API keys, session tokens, CSRF tokens, password-reset links, and other secrets. Pick a format, set the length, and generate tokens that are practically impossible to guess or predict.

This tool is built for developers, DevOps engineers, and security-minded teams who need opaque random values on demand. It draws randomness from the Web Crypto API (crypto.getRandomValues()), backed by your operating system's entropy source — the same quality of randomness production systems rely on, not the predictable output of Math.random().

Private by design: every token is generated entirely in your browser. Nothing is uploaded, stored, or logged on any server.

How to Generate a Random Token

1

Choose a format

Select one of six output formats: Hex, Base64, Base64URL, Alphanumeric, Numeric, or Custom with your own character set.

2

Set the length

Use the slider, the input field, or the presets (16, 32, 64, 128). For Hex, Base64, and Base64URL the value is bytes of randomness; for Alphanumeric, Numeric, and Custom it is the number of characters.

3

Configure options (optional)

Open Advanced Options to add a Prefix like sk_live_, insert a Separator every N characters, or set the Letter Case to lowercase, uppercase, or mixed.

4

Generate and copy

Set the quantity (1–50) and click Generate. Copy a single token with its copy button, or use Copy All to grab the whole batch at once.

Features

Six Output Formats

Generate tokens as Hex, Base64, Base64URL, Alphanumeric, Numeric, or a Custom character set you define.

Flexible Length Control

Set the length with a slider, direct input, or one-click presets (16, 32, 64, 128), with support for values up to 512.

Batch Generation

Create up to 50 tokens at once, each independently generated with full cryptographic randomness.

Custom Prefix

Prepend a prefix like sk_, pk_live_, or api_ to label token types and environments at a glance.

Readability Options

Insert a dash or space separator every N characters and choose lowercase, uppercase, or mixed case for easier reading.

Entropy Display

See the entropy in bits for your current settings so you can judge the security strength of each token.

One-Click Copy

Copy any single token or the entire batch instantly, with no manual selecting.

Client-Side Only

All generation uses crypto.getRandomValues() in your browser — nothing is sent to or stored on a server.

Frequently Asked Questions

How do I generate a random token?

Choose a format, set the length, and click Generate. The token appears instantly and you can copy it with one click. There is nothing to install or sign up for — open the page and generate.

What length should an API token be?

For most security applications, 32 bytes (256 bits) is recommended — a level that is computationally infeasible to brute-force. For shorter-lived values like session tokens, 16 bytes (128 bits) is usually sufficient.

Is this token generator cryptographically secure?

Yes. It uses crypto.getRandomValues(), the cryptographically secure random number generator built into all modern browsers. It draws entropy from the operating system, giving the same randomness quality as server-side generators — unlike Math.random(), whose output can be predicted.

Are tokens generated in my browser and kept private?

Yes. Every token is generated locally in your browser. No tokens are transmitted over the network, saved, or logged anywhere, and no usage data is collected.

What's the difference between Hex and Base64 tokens?

Hex (0-9, a-f) is the most common format for API keys and secrets, with each byte producing two characters. Base64 (A-Z, a-z, 0-9, +, /) is more compact and common in HTTP headers and JWTs. When a token will appear in a URL, use Base64URL, which swaps + and / for - and _ and drops padding.

How many bits of entropy does a token have?

For Hex, Base64, and Base64URL, each byte adds 8 bits, so a 32-byte token has 256 bits of entropy. For character formats, entropy is the length times the log base 2 of the alphabet size — for example, a 32-character alphanumeric token (62 characters) has about 190 bits. The tool shows the exact entropy for your current configuration.

Why does changing letter case affect entropy?

Forcing an alphanumeric token to all-lowercase or all-uppercase shrinks the effective alphabet from 62 characters (A-Z, a-z, 0-9) to 36 (a-z or A-Z plus 0-9). Fewer possible characters means fewer combinations, so the entropy decreases accordingly.

Can I use these tokens in production?

Yes. These tokens use the same cryptographic primitives production systems rely on. Still, handle them securely: store secrets hashed when possible, transmit only over HTTPS, and apply sensible expiration policies.

All tokens are generated locally in your browser using crypto.getRandomValues(). Nothing is sent to any server.
Choose Hex or Base64 for standard API keys and secrets
Use Base64URL for tokens that appear in URLs (no special characters)
Add a prefix like sk_live_ to identify token types
Use separators to make long tokens easier to read and compare
32 bytes (256 bits) is recommended for most security use cases
All tokens are generated locally using crypto.getRandomValues() — nothing is sent to any server
Want to learn more? Read documentation →
1/7
Start typing to search...
Searching...
No results found
Try searching with different keywords