Secure Token Generator

Generate cryptographically random tokens in hex, Base64, Base64URL, alphanumeric, or UUID v4 format.

32
8128

32 bytes → 64 hex chars

Generated with crypto.getRandomValues() : cryptographically secure

Why cryptographic randomness matters for tokens

Not all randomness is equal. Tokens generated with Math.random() or timestamp-based seeds are predictable: an attacker who knows approximately when a token was generated can enumerate possibilities. Cryptographically secure tokens use hardware entropy sources that are practically impossible to predict or reproduce.

This tool uses crypto.getRandomValues(): the same API used by cryptographic libraries and password managers. All generation happens in your browser; no token data is ever sent to a server. Choose your format and length, then use the output directly in your application as an API key, session secret, CSRF token, or password reset link.

Step-by-step guide

  1. 1
    Select a format
    Choose from Hex, Base64, Base64URL, Alphanumeric, or UUID v4 depending on your use case.
  2. 2
    Set the byte length
    Use the slider to choose from 8 to 128 bytes. A hint shows the resulting output character length for the selected format.
  3. 3
    Read the generated token
    A new token is generated instantly whenever you change the format or length. Click Regenerate to get a fresh token.
  4. 4
    Copy the token
    Click the Copy button to copy the token to your clipboard for use in your application.
  5. 5
    Use the token securely
    Paste the token into your application as an API key, session secret, CSRF token, or any other secret that requires randomness.

Related Tools

Frequently Asked Questions

Is this token truly random and secure?
Yes. Tokens are generated using crypto.getRandomValues(), the browser's cryptographically secure pseudorandom number generator (CSPRNG). This is the same source of entropy used by password managers and cryptographic libraries.
Which format should I use for an API key?
Hex (32 bytes = 64 hex chars) or Base64URL are most common for API keys. Base64URL is slightly shorter and URL-safe (no + or / characters). UUID v4 is a good choice if your system expects a UUID format.
How many bytes should I use?
For session tokens and CSRF tokens, 16–32 bytes (128–256 bits) is standard. For API keys and long-lived secrets, 32–64 bytes provides a comfortable security margin. For password reset tokens, 32 bytes is recommended.
What is Base64URL and how is it different from Base64?
Base64URL replaces the + character with - and / with _ from standard Base64, and omits padding characters (=). This makes tokens safe to include in URLs and HTTP headers without percent-encoding.
Is the token ever sent to a server?
No. Token generation happens entirely in your browser. The tokens are never transmitted anywhere.
What is the difference between a secure token and a UUID?
UUID v4 is also randomly generated and cryptographically acceptable for most purposes. However, its fixed 128-bit (16-byte) size means it has less entropy than a 32-byte hex or Base64 token. UUIDs also have a fixed format that includes version and variant bits.
Can I use these tokens as passwords?
The tokens are random and high-entropy, which makes them suitable as machine-generated passwords. However, they are not human-memorable. For user-facing passwords, consider using a passphrase generator instead.
What is the minimum secure token length?
For modern applications, 128 bits (16 bytes) is a widely accepted minimum. This corresponds to 32 hex characters, ~24 Base64 characters, or a UUID. For higher security (e.g. long-lived API keys), 256 bits (32 bytes) is recommended.

AlteredIdea vs alternatives

vs server-side tools: Everything runs in your browser: your data never leaves your device.

vs command-line tools: No setup needed. Works instantly in any browser.

vs paid tools: Completely free, no account required.