Security
Create cryptographically secure random tokens for API keys, session identifiers, CSRF tokens, and secret keys. Configure the byte length and output format to match your requirements.
Generated output
Set the byte length and format, then click Generate.
The generator fills a byte array with cryptographically random values using crypto.getRandomValues, then encodes the result to your chosen format. Hexadecimal encoding converts each byte to a two-character hex pair. Base64 URL-safe encoding uses the web-safe alphabet (- and _ instead of + and /) with padding removed, ideal for use in URLs and HTTP headers. Alphanumeric encoding maps each byte to the 62-character A-Z a-z 0-9 alphabet.
You're building a REST API and need a secure API key for your clients. Set length to 32 bytes and format to hexadecimal. The result is a 64-character hex string — 256 bits of entropy — suitable for an Authorization header like "Bearer 3f8a2d...".
Answers to common questions about this generator and how it works.
16 bytes (128 bits) is the current minimum recommendation for session tokens. For API keys and secrets, 32 bytes (256 bits) is the industry standard. More bytes means more entropy and a harder-to-guess token.
Hexadecimal is the most portable and widely accepted. Base64 URL-safe produces shorter strings (useful when token length matters) and works safely in URLs and HTTP headers. Alphanumeric outputs only letters and digits, useful when symbols are not allowed.
Yes. A 32-byte base64url token is a solid choice for CSRF protection. Generate one per user session, store it in the session, and validate it on every state-changing request.
Passwords are meant to be memorable; tokens are not. Tokens are typically longer, fully random, and used in machine-to-machine authentication. They are usually stored securely and rotated on a schedule.
Yes. The generator uses crypto.getRandomValues, which is a cryptographically secure pseudo-random number generator (CSPRNG) provided by your browser. It meets the requirements for security-sensitive applications.
Explore other generators that pair well with this one.
Generate strong, unique passwords with custom length and character sets.
Generate v4 UUIDs for databases, APIs, and distributed systems.
