Is this truly random and cryptographically secure?

Yes. The generator uses window.crypto.getRandomValues(), the same CSPRNG used by modern browsers for TLS. It is not predictable.

Is my data uploaded to a server?

No. Everything runs locally in your browser using JavaScript. Your tokens never leave your device.

What is the difference between hex and Base64 URL-safe?

Hex uses characters 0–9 and a–f (4 bits per char). Base64 URL-safe uses A–Z, a–z, 0–9, - and _ (6 bits per char), so it is shorter for the same entropy.

How do I use a generated token as a JWT secret?

Generate a 32-byte Base64 URL-safe token (43 characters). Copy it and set it as your JWT_SECRET or APP_KEY environment variable.

🔑

Random Token Generator

Generate cryptographically secure random tokens in hex, Base64, alphanumeric or custom character sets. Set any length. Free, runs entirely in your browser.

🔒 Security Tools Free Browser-based

Tool

Format

Token length (characters)

Number of tokens

Separator

Generated Tokens

Why Use Cryptographically Secure Tokens?

Random tokens are used as API keys, session secrets, CSRF tokens, password reset links and OAuth client secrets. They must be generated using a cryptographically secure random number generator (CSPRNG) — not Math.random() — to prevent attackers from predicting token values. This tool uses the browser's built-in crypto.getRandomValues(), which is a CSPRNG.

Recommended Token Lengths

Use Case	Recommended Length	Format
API key	32–64 chars	Hex or alphanumeric
Session secret	32 bytes (64 hex chars)	Hex
Password reset token	32 chars	Alphanumeric
JWT signing secret	32 bytes (43 base64url)	Base64 URL-safe
CSRF token	16–32 chars	Hex

Tips

Never reuse tokens. Always store tokens hashed (bcrypt or SHA-256) in your database and compare hashes, not plaintext values. Tokens generated here are completely random and are never logged or transmitted.

Random Token Generator

Why Use Cryptographically Secure Tokens?

Recommended Token Lengths

Tips

Frequently Asked Questions