Random Token Generator: Create Secure Hex and Base64 Tokens

What Is a Cryptographically Secure Random Token?

A random token is a string of bytes generated from a cryptographically secure pseudorandom number generator (CSPRNG). The key property is unpredictability: given any number of previously generated tokens, an attacker cannot predict the next one. This is distinct from tokens generated by weak random sources like `Math.random()` in JavaScript or `rand()` in C, which are deterministic given the seed and can sometimes be predicted from observable outputs.

Token security is measured in bits of entropy — the log base 2 of the number of possible values. A 16-byte (128-bit) token has 2^128 possible values, a 32-byte (256-bit) token has 2^256 possible values. NIST recommends at least 128 bits of entropy for session tokens and API keys; 256 bits is recommended for long-lived secrets like signing keys.

Tokens are encoded in different formats for different contexts: hex (0-9, a-f) is universal and easy to store in databases; Base64 is more compact (1.33 bytes per character vs 2 bytes for hex) and suitable for HTTP headers and URLs (use the URL-safe Base64 variant for URLs).

How to Use This Tool

Generating a secure token takes just a few seconds.

1. 1

   Choose the token size

   Select the number of bytes (not characters) of random data to generate. 16 bytes gives 128 bits, 32 bytes gives 256 bits. For API keys and session tokens, 32 bytes (256 bits) is a good standard choice.

2. 2

   Select the encoding

   Choose Hex for a string of hexadecimal characters (length = 2 × bytes), or Base64 for a more compact string (length ≈ 1.33 × bytes). Use URL-safe Base64 if the token will appear in URLs or HTTP headers without encoding.

3. 3

   Set quantity if needed

   Specify how many tokens to generate if you need multiple, for example to seed a database with test API keys or pre-generate a batch of one-time codes.

4. 4

   Click Generate

   Press Generate to produce the token(s). Each token is independently drawn from fresh cryptographic entropy — there is no sequential relationship between generated tokens.

5. 5

   Copy and store securely

   Copy the generated token(s) to your clipboard and immediately store them in a secrets manager (HashiCorp Vault, AWS Secrets Manager, environment variables) rather than hardcoding them in source code.

Common Use Cases

Secure random tokens are needed wherever unpredictable secret values are required.

• API key generation for REST and GraphQL APIs, where each client receives a unique, unguessable token to authenticate their requests.
• Session identifier generation for web applications — after login, the server issues a cryptographically random session ID stored in an HttpOnly cookie.
• CSRF token generation to prevent cross-site request forgery — a unique token is embedded in each form and verified server-side on submission.
• Password reset and email verification links — a short-lived, single-use random token is appended to a link emailed to the user.
• OAuth 2.0 state parameter generation to prevent CSRF attacks during the OAuth authorization flow.

Tips and Best Practices

Follow these guidelines to use random tokens securely in your applications.

• Use at least 128 bits (16 bytes) for session tokens and CSRF tokens, and at least 256 bits (32 bytes) for API keys, signing keys, and long-lived secrets.
• Always generate tokens server-side for security-critical applications. Client-side generation is acceptable for non-security identifiers but not for tokens that authenticate users or protect resources.
• Store tokens in a hashed form (SHA-256 of the token) in your database, similar to how passwords should be hashed. If your database is compromised, attackers cannot use the stored hashes directly.
• Set appropriate expiration times on tokens. Session tokens should expire after inactivity. Password reset tokens should expire within 15–60 minutes. API keys should be rotatable and revocable.
• Transmit tokens only over TLS (HTTPS) — never over HTTP. Use the HttpOnly and Secure flags for session cookies to prevent JavaScript access and insecure transmission.

Frequently Asked Questions