Random Token Generator for Secure Keys and Secrets
A random token generator creates cryptographically secure random strings for API keys, session tokens, CSRF tokens, password-reset links, and other secrets. Pick a format, set the length, and generate tokens that are practically impossible to guess or predict.
This tool is built for developers, DevOps engineers, and security-minded teams who need opaque random values on demand. It draws randomness from the Web Crypto API (crypto.getRandomValues()), backed by your operating system's entropy source — the same quality of randomness production systems rely on, not the predictable output of Math.random().
How to Generate a Random Token
Choose a format
Select one of six output formats: Hex, Base64, Base64URL, Alphanumeric, Numeric, or Custom with your own character set.
Set the length
Use the slider, the input field, or the presets (16, 32, 64, 128). For Hex, Base64, and Base64URL the value is bytes of randomness; for Alphanumeric, Numeric, and Custom it is the number of characters.
Configure options (optional)
Open Advanced Options to add a Prefix like sk_live_, insert a Separator every N characters, or set the Letter Case to lowercase, uppercase, or mixed.
Generate and copy
Set the quantity (1–50) and click Generate. Copy a single token with its copy button, or use Copy All to grab the whole batch at once.
Features
Six Output Formats
Generate tokens as Hex, Base64, Base64URL, Alphanumeric, Numeric, or a Custom character set you define.
Flexible Length Control
Set the length with a slider, direct input, or one-click presets (16, 32, 64, 128), with support for values up to 512.
Batch Generation
Create up to 50 tokens at once, each independently generated with full cryptographic randomness.
Custom Prefix
Prepend a prefix like sk_, pk_live_, or api_ to label token types and environments at a glance.
Readability Options
Insert a dash or space separator every N characters and choose lowercase, uppercase, or mixed case for easier reading.
Entropy Display
See the entropy in bits for your current settings so you can judge the security strength of each token.
One-Click Copy
Copy any single token or the entire batch instantly, with no manual selecting.
Client-Side Only
All generation uses crypto.getRandomValues() in your browser — nothing is sent to or stored on a server.
Frequently Asked Questions
How do I generate a random token?
Choose a format, set the length, and click Generate. The token appears instantly and you can copy it with one click. There is nothing to install or sign up for — open the page and generate.
What length should an API token be?
For most security applications, 32 bytes (256 bits) is recommended — a level that is computationally infeasible to brute-force. For shorter-lived values like session tokens, 16 bytes (128 bits) is usually sufficient.
Is this token generator cryptographically secure?
Yes. It uses crypto.getRandomValues(), the cryptographically secure random number generator built into all modern browsers. It draws entropy from the operating system, giving the same randomness quality as server-side generators — unlike Math.random(), whose output can be predicted.
Are tokens generated in my browser and kept private?
Yes. Every token is generated locally in your browser. No tokens are transmitted over the network, saved, or logged anywhere, and no usage data is collected.
What's the difference between Hex and Base64 tokens?
Hex (0-9, a-f) is the most common format for API keys and secrets, with each byte producing two characters. Base64 (A-Z, a-z, 0-9, +, /) is more compact and common in HTTP headers and JWTs. When a token will appear in a URL, use Base64URL, which swaps + and / for - and _ and drops padding.
How many bits of entropy does a token have?
For Hex, Base64, and Base64URL, each byte adds 8 bits, so a 32-byte token has 256 bits of entropy. For character formats, entropy is the length times the log base 2 of the alphabet size — for example, a 32-character alphanumeric token (62 characters) has about 190 bits. The tool shows the exact entropy for your current configuration.
Why does changing letter case affect entropy?
Forcing an alphanumeric token to all-lowercase or all-uppercase shrinks the effective alphabet from 62 characters (A-Z, a-z, 0-9) to 36 (a-z or A-Z plus 0-9). Fewer possible characters means fewer combinations, so the entropy decreases accordingly.
Can I use these tokens in production?
Yes. These tokens use the same cryptographic primitives production systems rely on. Still, handle them securely: store secrets hashed when possible, transmit only over HTTPS, and apply sensible expiration policies.
No comments yet. Be the first to comment!