Security
Token Generator
The Token Generator creates cryptographically secure random tokens suitable for API keys, session tokens, CSRF tokens, HMAC signing keys, and other security-sensitive uses. It supports multiple output formats (hex, Base64, Base64url, alphanumeric) and configurable lengths from 16 to 512 bits. All randomness comes from the browser's crypto.getRandomValues() CSPRNG – no server is involved.
What makes a token secure?
A security token is secure when it is generated from a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), long enough to be infeasible to guess, and unique with overwhelming probability. A token of 128 bits has 2^128 ≈ 3.4×10^38 possible values – at a billion guesses per second, it would take longer than the age of the universe to brute-force. Common mistake: using Math.random() in JavaScript, which is a non-cryptographic PRNG that is predictable from its seed. Always use crypto.getRandomValues() (browser), os.urandom() (Python), or a language's cryptographically secure equivalent for security tokens.
How does the generator work?
The tool calls crypto.getRandomValues() with a Uint8Array of the required byte length (e.g. 32 bytes for 256 bits). This fills the array with cryptographically random bytes from the operating system's entropy pool (e.g. /dev/urandom on Linux). The byte array is then formatted into the selected output format: hex encodes each byte as two hexadecimal digits; Base64 encodes the bytes using the standard Base64 alphabet; Base64url replaces + with - and / with _ for URL safety; alphanumeric maps bytes to a 62-character alphabet using rejection sampling to avoid modulo bias. Multiple tokens can be generated at once for batch setup.
Typical Use Cases
- Generating API keys and secret tokens for new integrations
- Creating session IDs or CSRF tokens for web application security
- Producing HMAC signing keys with sufficient entropy
- Generating webhook secrets for GitHub, Stripe, or other webhook endpoints
Step-by-step Guide
- Step 1: Select the token length in bits (128 bits is the minimum recommended for security tokens).
- Step 2: Choose the output format: hex, Base64, Base64url, or alphanumeric.
- Step 3: Set the quantity to generate multiple tokens at once.
- Step 4: Copy the token(s) and store them securely.
Example
Input
256 bits, hex format
Output
a3f8c2d1e4b7f9a0c5d2e8f1b3a7c4d6e9f2b5a8c1d4e7f0a3b6c9d2e5f8a1b4
Tips & Notes
- Use Base64url format for tokens that will appear in URLs or HTTP headers – it avoids the + and / characters that need percent-encoding.
- 256 bits (32 bytes) is the recommended minimum for long-lived API keys and signing secrets; 128 bits is sufficient for session tokens with expiry.
- Rotate tokens regularly and revoke old ones – a token with no expiry that is leaked remains valid indefinitely.
Frequently Asked Questions
What is the difference between a token and a password?
A password is chosen by a human and is typically shorter and less random. A token is machine-generated from a CSPRNG, providing maximum entropy for its length. Tokens are used for machine-to-machine authentication where memorability is not required.
Should I hash tokens before storing them in a database?
Yes, for high-value tokens like API keys. Store a SHA-256 hash of the token in the database and compare hashes during validation. This way, a database leak does not expose the actual token values. For session tokens, this is less critical if the session table is already well-protected.
What is the difference between a token and a UUID?
A UUID v4 is a 122-bit random value formatted as 8-4-4-4-12 hex groups. Tokens generated by this tool can be any length and format. UUID v4 is a common token format due to its standardized appearance, but a 256-bit hex or Base64url token provides more entropy.
Token Generator
Generate cryptographically secure tokens with a selectable character set and configurable length (1–512 characters).
Open Tool