What is Random Token Generator?

Generate random tokens in hex, base64, alphanumeric, URL-safe, numeric, symbol, or fully custom character sets using the Web Crypto API. Use them for API keys, session tokens, CSRF tokens, numeric PINs and OTPs, and password reset links that need cryptographic randomness.

All bytes come from crypto.getRandomValues, the same source browsers use for TLS keys. You choose 16, 32, 48, 64, or 128 raw bytes, and the entropy panel updates to show how many bits of randomness that gives in your chosen format. Generate up to 20 tokens at once and download them as a .txt for batch provisioning.

How to use

1. Pick a token format — hex, base64, alphanumeric, URL-safe, numeric, symbols, or your own custom characters — and the desired length.
2. Click generate to create a cryptographically secure random token instantly.
3. Copy the token or generate multiple tokens at once for bulk use.

When to use

• Issuing API keys, webhook signing secrets, or service-to-service auth tokens.
• Creating password-reset links, email confirmation tokens, or one-time login URLs.
• Seeding test fixtures with realistic random IDs that don't collide.

Result

Generate a 256-bit hex token (64 characters) for use as an API key: 'a3f8b2c1d4e5f6...', with full entropy from crypto.getRandomValues.

FAQ

How much entropy do I actually need for an API key?

128 bits is the practical minimum for anything long-lived and resists brute force well past the heat death of the sun. Use 32 bytes (256 bits) for signing keys or anything mixed into cryptographic operations. 16 bytes is fine for short-lived session tokens.

What's the difference between base64 and URL-safe formats?

Base64 uses + and / and = padding, which break when pasted into URLs or filenames. URL-safe swaps those for - and _ and drops padding. Use URL-safe for anything that ends up in a query string, path, or HTTP header.

Why is alphanumeric entropy lower than hex for the same byte count?

Hex and base64 pack the raw 8 bits per byte directly into characters. Alphanumeric maps each byte into one of 62 characters using modulo, which loses about 2 bits per byte and introduces a tiny bias. Fine for IDs, weaker for crypto secrets.

Is Math.random() acceptable as a fallback if Web Crypto isn't available?

No. Math.random() is a predictable PRNG and an attacker who sees a few outputs can reproduce future ones. Web Crypto is available in every browser back to 2014 and all modern Node.js. If it's missing, do not generate the secret at all.

Should the same token ever appear twice in my application?

With 16 bytes you'd need to issue around 2^64 tokens before a collision becomes likely (the birthday bound). For all practical workloads — billions of tokens — a collision is statistically impossible and you don't need to store-and-check for uniqueness.

Related Tools