ToolJutsu
All tools
Developer Tools

Random Token Generator

Generate secure random tokens — alphanumeric, hex, base64url or URL-safe.

Charset
32 chars · ≈ 191 bits
  • 113MPRKqvxOgDO5P60ZXAMoRRrwPPd8YP
Processed on your device. We never see your files.

How to use Random Token Generator

What is a secure random token?

A token, in this context, is an opaque string used as a credential — something a server hands out (or accepts) to identify a session, a request, an account-recovery link or any other capability that shouldn’t be guessable. “Secure” means two things together: the bytes come from a cryptographically-secure PRNG (not Math.random()), and the resulting string is long enough that brute-force search is computationally infeasible. The combination is what makes the token unguessable in practice, not just in theory.

How the generator works

Every token on this page is built the same way:

  1. Read raw bytes from crypto.getRandomValues() — the browser’s CSPRNG, seeded by the operating system’s entropy pool.
  2. Encode those bytes into the requested charset:
    • Alphanumeric maps each random byte into one of 62 symbols (A–Z a–z 0–9) with rejection sampling to avoid modulo bias.
    • Hex is straight byte-to-[0-9a-f] — two characters per byte.
    • Base64url is RFC 4648 §5 — three bytes to four characters, with - and _ instead of + and /, no padding.
    • URL-safe uses the same 62-symbol alphanumeric set, guaranteed to need no escaping anywhere a URL flows.
  3. Trim to the requested length and emit.

For bulk generation, the loop runs entirely on your CPU; a batch of 50 × 64-character tokens completes in single-digit milliseconds and never touches the network.

Common use cases

  • API keys. Generate one per integration; store a hash on the server, show the raw key to the user once.
  • Session tokens / refresh tokens. Issued at login, rotated on refresh, stored as a hash in the session table.
  • CSRF tokens. Per-session or per-form values that must match between the cookie and the submitted form to prove the request came from the same origin.
  • Password-reset and magic-link tokens. Single-use, short-lived, embedded in a URL — base64url or URL-safe charset, ≥128 bits.
  • OAuth state and PKCE code_verifier. Random per-flow values used to bind the redirect back to the originating request; base64url is the convention.
  • Database-row tokens / share links. Public-facing capability URLs (/share/abc123…) where the token is the access control.

How to use this token generator

  1. Pick a charset. URL-safe or base64url for anything that ends up in a URL. Hex when you need maximum compatibility with older systems or want a fixed length per byte. Alphanumeric for human-readable tokens (no +, /, - or _ ambiguity).
  2. Pick a length. The page shows the resulting entropy live — keep it ≥128 bits for anything security-sensitive. For low-value, short-lived codes (email verification, magic link) 80–96 bits is acceptable.
  3. Optional: set bulk count between 1 and 50 to generate a batch in one click — handy for seeding a database with test keys.
  4. Click Generate. Copy one or copy all. Generation is instantaneous; click again as many times as you like to refresh.

Security considerations

  • Use a CSPRNG. This tool already does — crypto.getRandomValues() is the right source. Never roll tokens with Math.random(), Date.now(), or PHP mt_rand(); they’re predictable.
  • Hash before storing. Treat a token like a password: store SHA-256(token) and compare hashes on incoming requests. A database leak then doesn’t leak live credentials.
  • Constant-time comparison. When matching a presented token against a stored hash, use a constant-time comparison (crypto.subtle.timingSafeEqual, Python hmac.compare_digest, Go subtle.ConstantTimeCompare) to avoid timing side-channels.
  • Right length for the job. Don’t issue a 12-character token to protect a multi-year API key — it can be brute-forced. Don’t issue a 128-character token for a six-digit phone-confirmation code where rate-limiting does the job.
  • Rotate on compromise. Make sure your code path supports rotating any token cheaply; one-click rotation in your admin UI is a feature, not a luxury.

Privacy

Every token shown on this page is generated in your browser tab. The random bytes come from crypto.getRandomValues(), the encoding loop runs on your CPU, and the result is rendered into the DOM. Nothing is uploaded, no analytics are collected on the values you generate, and no token leaves the page. You can confirm by opening the Network panel or by generating tokens with your network disconnected.

Compatibility notes

The tool requires crypto.getRandomValues() and basic DOM APIs — both available in every browser released since 2014 (IE 11 supported the API; every modern browser does). The output strings use only ASCII characters, safe for any storage system, URL, header value, JSON field or terminal. Hex output is lowercase by convention; if you need uppercase for a specific system, the surrounding code can toUpperCase without changing the bytes.

Frequently asked questions

How much entropy do I actually need?
For anything that authenticates a user or a session, aim for at least 128 bits of entropy — the standard cryptographic floor. Entropy is length × log2(charset size): a 32-character alphanumeric token (62 symbols) gives about 190 bits, a 22-character base64url token gives 128 bits, and a 32-character hex token gives 128 bits. Password-reset and magic-link tokens, CSRF tokens, OAuth state and code_verifier values, and session identifiers should all be ≥128 bits. API keys that grant broad access are often issued at 192–256 bits for extra margin. Below ~80 bits, online brute-force becomes practical for a determined attacker.
What's the difference between base64url and URL-safe?
They're the same idea with slightly different scopes. Base64url (RFC 4648 §5) replaces the standard Base64 characters + and / with - and _, and drops the = padding — the result is safe to drop into a URL path or query without percent-encoding. "URL-safe" in this tool means the alphanumeric set [A–Z a–z 0–9] (62 symbols, no punctuation at all) — also URL-safe, but slightly less dense per character. Pick base64url when you want compact tokens, alphanumeric when you want a token that survives every imaginable transport (logs, CSV, copy-paste into chat) without escape concerns.
Should I store generated tokens in the database as-is?
Generally no. If the token authenticates a user — session token, API key, password-reset link — store a hash of it, not the token itself. Treat the token like a password: SHA-256 the value, store the hash, and compare hashes on incoming requests. That way a database leak doesn't immediately compromise live sessions. The exception is short-lived, low-value tokens (a 5-minute email-verification code, for example) where the operational cost of hashing isn't worth it. Long-lived API keys should always be hashed at rest; this is why services like GitHub and Stripe show the secret value exactly once.
How often should I rotate API keys and tokens?
It depends on blast radius. Session tokens rotate naturally — every login is a new one. API keys for first-party services should rotate on a schedule (quarterly is a reasonable default) and immediately on any suspicion of leak. OAuth refresh tokens are usually long-lived but revoke-on-demand. CSRF tokens rotate per session or per form submission. Password-reset and magic-link tokens are single-use and short-lived (10–30 minutes). The principle: the longer-lived the token, the more important the storage hardening and the easier you should make rotation.
Are the tokens generated by this page truly random?
Yes — they come from crypto.getRandomValues(), the browser's cryptographically-secure pseudo-random number generator. That's the same CSPRNG used to generate WebAuthn keys, TLS session keys in the browser, and Web Crypto secrets. The values never leave your machine: nothing is sent to a server, no analytics are collected on the token contents, and the page works offline once loaded. If you want absolute assurance, generate a batch, then turn off Wi-Fi and generate another — the second batch will appear instantly, because everything runs locally.

Related tools

Password Generator

Generate strong, configurable passwords.

UUID Generator

Generate v1 and v4 UUIDs in bulk.

ULID Generator

Generate sortable, time-based ULIDs.

OTP Generator

Generate cryptographically random one-time numeric codes (4/6/8 digits).

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes.

Passphrase Generator

Generate memorable passphrases from a curated word list.