What is Token Generator?
Token Generator — A Token Generator is a free tool that creates secure random tokens in hex, Base64, or alphanumeric format for use as API keys, session tokens, and secret keys.
Loading your tools...
Generate cryptographically secure random tokens for API keys, session identifiers, and signing secrets. Choose hex, Base64, Base64URL, or alphanumeric format with custom length from 16 to 256 characters. Uses the Web Crypto API for true randomness.
Token Generator: Select the token format (hex, Base64, alphanumeric), choose the length, and click generate. Copy the token for use in API keys, CSRF tokens, or password reset links. Uses cryptographically secure randomness.
Token Generator — A Token Generator is a free tool that creates secure random tokens in hex, Base64, or alphanumeric format for use as API keys, session tokens, and secret keys.
Select a token format: hex, Base64, Base64URL, or alphanumeric.
Set the desired length (32–64 characters recommended for API keys).
Add an optional prefix like sk_ or api_ for key identification.
Click Generate, copy the token, and store it in your secrets manager or .env file.
Generating API keys and webhook signing secrets for web applications
Creating CSRF tokens and session identifiers for authentication systems
Producing secure .env file values for database passwords and JWT secrets
Generating test credentials for QA, staging, and integration environments
JavaScript's Math.random() uses a non-cryptographic PRNG (typically xorshift128+ in V8). Its internal state can be reconstructed from a small number of output samples, making it completely unsafe for security tokens. In 2018, researchers demonstrated they could predict future Math.random() outputs after observing just 5 values. This tool uses window.crypto.getRandomValues() — the Web Crypto API's CSPRNG (cryptographically secure pseudo-random number generator) — which draws from OS-level entropy sources (hardware RNG, keyboard timing, mouse movements). This is the same source used by 1Password, Bitwarden, and every major password manager.
| Length (hex) | Entropy | Use case | Example |
|---|---|---|---|
| 16 hex / 8 bytes | 64 bits | Short-lived session IDs | a1b2c3d4e5f67890 |
| 32 hex / 16 bytes | 128 bits | API keys, CSRF tokens (default) | a1b2…(32 chars) |
| 48 hex / 24 bytes | 192 bits | Webhook secrets, JWT HS256 keys | a1b2…(48 chars) |
| 64 hex / 32 bytes | 256 bits | JWT HS512, long-lived signing keys | a1b2…(64 chars) |
Rule of thumb: 128 bits (32 hex chars) is enough randomness that brute-forcing the token is computationally infeasible. There's rarely a security reason to exceed 256 bits — it just wastes bytes.
Well-designed services prefix their API keys (Stripe's sk_live_ / pk_live_ pattern is the best-known example) so that a leaked key is instantly recognizable and automated secret-scanning tools can flag it in commits, logs, and issue trackers before an attacker finds it. If you're issuing keys for your own service, adopt a distinguishable prefix (e.g., acme_sk_live_ vs acme_pk_test_) — it makes accidental leaks greppable and lets you tell secret keys from publishable ones at a glance. Note this only applies to tokens you generate for your own systems: keys for third-party services must always be issued by that service's own dashboard, never assembled by hand.
/ and + which can cause URL/JSON escaping issues..env file in repo root (always in .gitignore)Never: commit secrets to Git (even private repos), hardcode in client-side JS, send through Slack/email/JIRA in plaintext, store in browser localStorage.
Plan for compromise from day one. Every secret should have: (1) a known location for rotation (which key in which secrets manager), (2) a rotation procedure (regenerate, deploy new, retire old after grace period), (3) audit logging on access, and (4) automatic expiry where possible. For high-value secrets (production database passwords, root API keys), rotate quarterly. For session tokens and short-lived secrets, expire and re-issue automatically. After a known leak, rotate immediately and audit logs for any anomalous use of the old key.