Random Token Generator
Generate cryptographically secure random tokens for API keys, session IDs, and other secrets with custom length, character sets, and presets.
Tokens are generated using the browser's built-in cryptographically secure random number generator (crypto.getRandomValues), with uniform distribution to avoid modulo bias. The generated values are not sent to the server and are not stored โ only settings like presets and length are saved.
Once issued, secret tokens should only be kept in secure locations (secret management tools, environment variables). The moment they are pasted into source code or chat, they should be considered compromised.
What is the Random Token Generator?
A secure token generator for creating unpredictable random strings for API keys, session tokens, cryptographic secrets, and more. Get started instantly with presets for common formats like "๐ API Key", "๐ฆ Base64URL", and "๐ข Hexadecimal", or fine-tune your own by setting a length (4-128), character types, and prefix. The tool calculates and displays the token's entropy and security rating, so you can verify its strength. All generation happens in your browser using its built-in crypto library; your secrets are never sent to a server.
How to use
- Select a "Preset" like "๐ API Key" or "๐ช Session Token", or choose "โ๏ธ Custom" to define your own character set.
- Use the "Length" slider to set the desired number of random characters.
- For custom tokens, check the boxes to include "Uppercase (A-Z)", "Lowercase (a-z)", "Numbers (0-9)", and "Symbols (-._~)".
- Optionally, add a "Prefix", set the "Count" of tokens to generate (up to 100), and check "Exclude similar characters" for human-readable tokens.
- Click "Generate" to create your token(s). The result appears instantly, along with its "Entropy (bits)" and security "Rating".
- Use the "Copy" button for individual tokens, or "Copy All" and "Save" to get a full list of batch-generated tokens.
Random Token Generator guide
How this tool is used in real work, and what to watch out for.
Tokens Created with Math.random Are a Real-World Vulnerability
This isn't a theoretical concern; it's a vulnerability that leads to actual account takeovers. `Math.random` is designed for speed, not cryptographic security. JavaScript engines use algorithms that generate a sequence of values from an internal state. Researchers have demonstrated that by observing just a few outputs, they can reconstruct this internal state and perfectly predict all subsequent values.
Imagine you generate a password reset token with `Math.random`. An attacker requests resets for their own account multiple times to gather sample tokens. They use these to reconstruct the internal state, then request a reset for an administrator's account and calculate the token that will be generated. They don't even need to intercept the email. This is why this tool exclusively uses `crypto.getRandomValues`.
| Math.random() | crypto.getRandomValues() | |
|---|---|---|
| Use Case | Shuffling, animation, sampling | Tokens, keys, session IDs, OTPs |
| Predictability | State can be reconstructed by observing output | Unpredictable |
| Use for Secrets | Absolutely not | The standard |
How Many Bits Are Enough? A Breakdown of the Presets
A token's strength is measured by its entropy (in bits), not just its length. A 40-character token with 62 possible characters has 62^40 possible combinations, which is about 238 bits of entropy. This value is displayed in the stats below the result, along with a rating: Weak, Moderate, Strong, or Very Strong.
As a rule of thumb, session IDs should have at least 128 bits of entropy. Anything more provides little practical security benefit while making cookies longer. Conversely, anything under 40 bits is within the realm of brute-force attacks with modern hardware and should not be used for secret values.
| Preset | Composition | Entropy | Use Case |
|---|---|---|---|
| API Key | 40 alphanumeric characters | ~238 bits | Server-to-server auth keys |
| Session Token | 64 Base64URL characters | ~384 bits | Safe for direct use in cookies/URLs |
| Hexadecimal | 32 chars (0-9, a-f) | 128 bits | Common 16-byte random hex |
| Base64URL | 43 characters, no padding | ~258 bits | Reset links, signature keys |
| Numeric OTP | 6 digits | ~20 bits | One-time password |
A 6-Digit Numeric OTP Can Never Be Secure on Its Own
A 6-digit number has only one million possible combinations. An automated tool can try hundreds of combinations per second, making it possible to guess the correct one in a realistic timeframe. Increasing the number of digits isn't the answer, as users need to manually type the code they receive via text.
Therefore, the security of an OTP system comes not from the token itself, but from the rules surrounding it. The common practice in many servicesโa 3-minute expiry, a lock after 5 failed attempts, and rate limiting for resendsโis not just a convention; it's a requirement.
- Set a short expiration time. 3-5 minutes is sufficient.
- Limit the number of attempts and invalidate the code if exceeded. The user should be forced to request a new code, not continue guessing.
- Rate-limit code generation per phone number or IP address. Otherwise, the SMS cost itself can become a denial-of-service attack vector.
- Invalidate a code immediately after it has been used.
The Real Reason for Using a Prefix
Adding a prefix like `sk_live_` to the Prefix field will prepend it to every generated token. This isn't just for aesthetics. A prefix plays two critical roles during a security incident.
First, it immediately identifies the key's origin. Discovering a mysterious 40-character string in logs or a chat history can take half a day to trace. But if it starts with `sk_live_`, you know instantly it's a production key for a specific service. Second, it enables automated detection. Tools like GitHub's secret scanning and internal commit hooks look for these fixed patterns to raise alerts. Differentiating prefixes like `live` and `test` can also prevent accidents like committing a production key into test code.
What You Do Next Is More Important
This tool does not store the tokens it generates. They are not sent to the server or saved in your browserโonly settings like the preset and length are kept. If you refresh the page, the tokens will be gone, so move the values you need to a secure location immediately.
- Don't hard-code secrets into your source code. Use environment variables or a secret management tool.
- Add your `.env` file to `.gitignore`. If you've already committed it, the secret is compromised foreverโdeleting the file is not enough. You must revoke the key and issue a new one.
- Consider a token compromised the moment it's pasted into a chat, issue tracker, or screenshot. Even if you delete it, it may still exist in backups and email notifications.
- When storing tokens on a server, consider storing a hash of the token instead of the token itself. This way, the original token is not exposed even if the database is breached.
- Setting 'Count' to a higher number generates a list of tokens and enables 'Copy All' and 'Save' buttons. This is useful for creating keys for multiple environments at once, but your task isn't complete until you have securely deleted the saved `.txt` file.
Frequently asked questions
How is this different from a password generator?
While similar, this tool focuses on tokens for machine use, like API keys. It offers technical presets like "Hexadecimal" and "Base64URL" and provides an entropy score to help developers assess cryptographic strength.
Are the generated tokens truly secure?
Yes. This tool uses the browser's built-in `crypto.getRandomValues` function, a cryptographically secure random number generator. The results are unpredictable and suitable for secrets. All operations are done on your device and are never sent to any server.
What do 'Entropy (bits)' and 'Rating' mean?
Entropy measures unpredictability in bits; a higher value means the token is exponentially harder to guess. The "Rating" is a simple guide based on that value, from "Weak" to "Very Strong". A token with 128 bits or more is generally considered very secure.
When should I use 'Exclude similar characters'?
Use this option when a person might have to read and type the token, such as a recovery code or a one-time password. It removes characters that look alike (like `0`/`O`, `1`/`l`/`I`) to reduce the chance of typos.