Token Generator

Generate cryptographically secure random tokens — hex, base64, alphanumeric for API keys, session tokens, CSRF tokens and more.

About Token Generator

This tool generates cryptographically secure random tokens using the Web Crypto API (crypto.getRandomValues) — the same entropy source used by browsers for TLS. Tokens generated here are suitable for use as session tokens, CSRF tokens, password reset tokens, email verification tokens, API keys, and OAuth secrets.

Hex encoding produces tokens containing only 0-9 and a-f characters. Base64 and Base64url produce more compact tokens using a wider character set. Alphanumeric tokens are URL-safe and human-readable. For most security use cases, 32 bytes (256-bit) provides excellent security with an astronomically small collision probability.

FAQ

How many bytes should my token be?
For session tokens and CSRF tokens: 32 bytes (256-bit) is the current recommendation by OWASP. For short-lived tokens (password reset, email verification): 16 bytes is sufficient. For long-lived API keys: 32 bytes or more. More bytes = more entropy = harder to guess.
What is the difference between hex and base64url?
Hex uses 2 characters per byte (64 chars for 32 bytes). Base64url uses ~1.33 characters per byte (43 chars for 32 bytes) — more compact and URL-safe. Base64url replaces + with - and / with _ to avoid URL encoding issues, making it ideal for tokens in URL parameters and JWT payloads.

Related Tools

API Key GeneratorSecurity ToolsPassword GeneratorSecurity ToolsUUID GeneratorSecurity ToolsHMAC GeneratorSecurity ToolsJWT GeneratorSecurity Tools