Secure Token Generator
Generate cryptographically random tokens in hex, Base64, Base64URL, alphanumeric, or UUID v4 format.
32 bytes → 64 hex chars
Generated with crypto.getRandomValues() : cryptographically secure
Why cryptographic randomness matters for tokens
Not all randomness is equal. Tokens generated with Math.random() or timestamp-based seeds are predictable: an attacker who knows approximately when a token was generated can enumerate possibilities. Cryptographically secure tokens use hardware entropy sources that are practically impossible to predict or reproduce.
This tool uses crypto.getRandomValues(): the same API used by cryptographic libraries and password managers. All generation happens in your browser; no token data is ever sent to a server. Choose your format and length, then use the output directly in your application as an API key, session secret, CSRF token, or password reset link.
Step-by-step guide
- 1Select a format
Choose from Hex, Base64, Base64URL, Alphanumeric, or UUID v4 depending on your use case. - 2Set the byte length
Use the slider to choose from 8 to 128 bytes. A hint shows the resulting output character length for the selected format. - 3Read the generated token
A new token is generated instantly whenever you change the format or length. Click Regenerate to get a fresh token. - 4Copy the token
Click the Copy button to copy the token to your clipboard for use in your application. - 5Use the token securely
Paste the token into your application as an API key, session secret, CSRF token, or any other secret that requires randomness.
Related Tools
Hash Generator
Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.
HMAC Generator
Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.
Security Headers
Reference and generator for HTTP security headers: HSTS, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy, and more.
RSA Key Generator
Generate RSA-2048/3072/4096 key pairs in PEM format using the browser
Frequently Asked Questions
- Is this token truly random and secure?
- Yes. Tokens are generated using crypto.getRandomValues(), the browser's cryptographically secure pseudorandom number generator (CSPRNG). This is the same source of entropy used by password managers and cryptographic libraries.
- Which format should I use for an API key?
- Hex (32 bytes = 64 hex chars) or Base64URL are most common for API keys. Base64URL is slightly shorter and URL-safe (no + or / characters). UUID v4 is a good choice if your system expects a UUID format.
- How many bytes should I use?
- For session tokens and CSRF tokens, 16–32 bytes (128–256 bits) is standard. For API keys and long-lived secrets, 32–64 bytes provides a comfortable security margin. For password reset tokens, 32 bytes is recommended.
- What is Base64URL and how is it different from Base64?
- Base64URL replaces the + character with - and / with _ from standard Base64, and omits padding characters (=). This makes tokens safe to include in URLs and HTTP headers without percent-encoding.
- Is the token ever sent to a server?
- No. Token generation happens entirely in your browser. The tokens are never transmitted anywhere.
- What is the difference between a secure token and a UUID?
- UUID v4 is also randomly generated and cryptographically acceptable for most purposes. However, its fixed 128-bit (16-byte) size means it has less entropy than a 32-byte hex or Base64 token. UUIDs also have a fixed format that includes version and variant bits.
- Can I use these tokens as passwords?
- The tokens are random and high-entropy, which makes them suitable as machine-generated passwords. However, they are not human-memorable. For user-facing passwords, consider using a passphrase generator instead.
- What is the minimum secure token length?
- For modern applications, 128 bits (16 bytes) is a widely accepted minimum. This corresponds to 32 hex characters, ~24 Base64 characters, or a UUID. For higher security (e.g. long-lived API keys), 256 bits (32 bytes) is recommended.
AlteredIdea vs alternatives
vs server-side tools: Everything runs in your browser: your data never leaves your device.
vs command-line tools: No setup needed. Works instantly in any browser.
vs paid tools: Completely free, no account required.