TL
Tool Lab
πŸ’°Donate
πŸ’°Donate

Random Token Generator

Generate cryptographically secure random tokens in hex, Base64, URL-safe, or alphanumeric format using crypto.getRandomValues.

Format
Bytes of entropy
Count

About This Tool

The Secure Random Token Generator uses the browser's crypto.getRandomValuesAPI to generate cryptographically random byte arrays, then encodes them in your chosen format. Unlike Math.random(), which is not cryptographically secure,crypto.getRandomValues produces entropy suitable for security tokens, API keys, session identifiers, and nonces.

Choose the number of random bytes (more bytes = more entropy = harder to guess), the output format, and how many tokens to generate at once. All generation happens locally in your browser β€” no random data is sent to any server.

How to Use

  1. Select an output Format (hex is the most portable; URL-safe Base64 avoids URL-unsafe characters).
  2. Choose the number of Bytes of entropy. 32 bytes (256 bits) is recommended for most security use cases.
  3. Set the Count to generate multiple tokens at once (e.g., for batch API key creation).
  4. Click Generate and copy individual tokens or all at once.

Use Cases

Developers generate API keys for REST APIs that require bearer token authentication. Back-end engineers create CSRF tokens, session identifiers, or password reset nonces. DevOps teams generate webhook secrets for GitHub, Stripe, or other services. Security engineers create salt values for use with hashing functions. Anyone needing a strong, random password of a specific character set uses this tool as an alternative to password manager generators.

FAQ

  • How many bytes should I use? β€” 16 bytes (128 bits) is the minimum for security tokens. 32 bytes (256 bits) is recommended for long-lived API keys. 64 bytes (512 bits) is overkill but harmless.
  • What is the difference between hex and URL-safe Base64? β€” Hex uses only 4 bits per character (2Γ— longer output). Base64 uses 6 bits per character (shorter output). URL-safe Base64 replaces + and / with - and _, making it safe for use in URLs and filenames without percent-encoding.
  • Is this truly random? β€” Yes. crypto.getRandomValues is backed by the operating system's cryptographically secure pseudorandom number generator (CSPRNG), the same source used by security software.
  • Can I use these as passwords? β€” Yes, though they are not human-memorable. For a memorable passphrase, consider a diceware-style generator. For machine-to-machine secrets, these tokens are ideal.