Secure Random Token & API Key Generator

Why You Need a CSPRNG, Not Math.random()

JavaScript's Math.random() uses a non-cryptographic PRNG (typically xorshift128+ in V8). Its internal state can be reconstructed from a small number of output samples, making it completely unsafe for security tokens. In 2018, researchers demonstrated they could predict future Math.random() outputs after observing just 5 values. This tool uses window.crypto.getRandomValues() — the Web Crypto API's CSPRNG (cryptographically secure pseudo-random number generator) — which draws from OS-level entropy sources (hardware RNG, keyboard timing, mouse movements). This is the same source used by 1Password, Bitwarden, and every major password manager.

Token Length Calibration

Rule of thumb: 128 bits (32 hex chars) is enough randomness that brute-forcing the token is computationally infeasible. There's rarely a security reason to exceed 256 bits — it just wastes bytes.

API Key Prefix Conventions

Modern services prefix API keys so leaked tokens can be detected and revoked quickly. GitHub scans public commits, Stripe scans pastebin sites, and AWS scans cloud-storage buckets — all matching on these prefixes. Following the convention makes your keys discoverable by automated leak-detection systems:

• Stripe: sk_live_ (secret), pk_live_ (publishable), whsec_ (webhook)
• OpenAI: sk-
• GitHub: ghp_ (personal), gho_ (OAuth), ghs_ (server)
• AWS: AKIA (access key), ASIA (temp credential)
• Google Cloud: AIza
• Slack: xoxb- (bot), xoxp- (user), xoxa- (workspace)

Best practice: use distinguishable prefixes for your service (e.g., acme_sk_live_, acme_pk_test_) so leaked keys are obviously yours and your scanning tools can find them.

Format Selection: Hex vs Base64 vs Base64URL vs Alphanumeric

• Hex (0-9, a-f): standard for HMAC keys, hash output, low-level crypto. 32 hex chars = 16 bytes = 128 bits. Easy to read aloud.
• Base64 (A-Z, a-z, 0-9, +, /, =): compact (4 chars per 3 bytes). Used by JWT secrets, X.509 certs, basic auth. Caveat: contains / and + which can cause URL/JSON escaping issues.
• Base64URL (A-Z, a-z, 0-9, -, _): URL-safe variant of Base64. Use for: password reset links, magic links, query string tokens, JWT (which uses Base64URL natively).
• Alphanumeric (A-Z, a-z, 0-9): human-readable. Use for: API keys shared verbally, license keys, invitation codes. Slightly less efficient: ~5.95 bits per char vs 6 for Base64.

Where to Store Generated Tokens

• Local dev: .env file in repo root (always in .gitignore)
• CI/CD: GitHub Actions Secrets, GitLab CI/CD Variables, CircleCI Contexts
• Cloud apps: AWS Secrets Manager, AWS Parameter Store, GCP Secret Manager, Azure Key Vault
• Multi-cloud / self-hosted: HashiCorp Vault, Doppler, 1Password Secrets Automation, Infisical
• Container runtimes: Kubernetes Secrets, Docker Swarm secrets (encrypted at rest in etcd)
• Personal scripts: macOS Keychain, GNOME Keyring, Windows Credential Manager, password manager CLI

Never: commit secrets to Git (even private repos), hardcode in client-side JS, send through Slack/email/JIRA in plaintext, store in browser localStorage.

Rotation and Revocation Strategy

Plan for compromise from day one. Every secret should have: (1) a known location for rotation (which key in which secrets manager), (2) a rotation procedure (regenerate, deploy new, retire old after grace period), (3) audit logging on access, and (4) automatic expiry where possible. For high-value secrets (production database passwords, root API keys), rotate quarterly. For session tokens and short-lived secrets, expire and re-issue automatically. After a known leak, rotate immediately and audit logs for any anomalous use of the old key.