Random API Token Generator
Generate cryptographically random tokens of any byte length. Output as hex, Base64, or URL-safe Base64. Perfect for API keys and session IDs.
How to use API Token Generator
- Choose the number of random bytes. 32 bytes (256 bits) is a strong, common default for API keys.
- Pick an output format: hex for readability, Base64 for density, or Base64URL for tokens that go in URLs.
- Set how many tokens to generate at once if you need a batch.
- Click Generate. Each token is produced from a cryptographically secure random source in your browser.
- Copy a single token or copy them all, then paste into your config, secrets manager, or environment variables.
Generating secure random tokens for keys, secrets, and IDs
API keys, session identifiers, password-reset links, CSRF tokens, and webhook secrets all share one requirement: they must be impossible to guess. The only honest way to achieve that is to generate them from a cryptographically secure random source and make them long enough that brute force is hopeless. This tool does both, entirely in your browser.
The source has to be a CSPRNG
For a machine secret the stakes around randomness are higher than for a human password, because a token is often the only thing protecting an endpoint. A CSPRNG — cryptographically secure pseudo-random number generator — is the one source whose past output reveals nothing about its future output. This tool fills every byte from crypto.getRandomValues(); an attacker who somehow saw a million previous tokens still could not narrow down the next one.
Bytes are the real measure of strength
It is the number of random bytes, not the length of the printed string, that determines how strong a token is. A token of n bytes carries 8 × n bits of entropy regardless of how you encode it:
16 bytes = 128 bits → 32 hex chars / 22 Base64URL chars
24 bytes = 192 bits → 48 hex chars / 32 Base64URL chars
32 bytes = 256 bits → 64 hex chars / 43 Base64URL chars256 bits is the comfortable default for anything security-sensitive: the number of possible 32-byte tokens is so astronomically large that guessing one is not a threat anyone needs to plan for.
Choosing an encoding
- Hex uses only
0–9anda–f, so it is unambiguous and easy to read aloud — at the cost of being twice as long as the raw bytes. - Base64 packs the bytes more densely (~1.33 characters per byte) using letters, digits,
+, and/. - Base64URL is Base64 with
+and/replaced by-and_and the padding stripped, so it drops straight into URLs and file names without escaping.
Handling tokens safely
Generating a strong token is only half the job. Keep secrets out of your source code and version control, inject them through environment variables or a dedicated secrets manager, never log them, and rotate them if you suspect exposure. Where possible, store only a hash of a token on the server so that a database leak does not hand attackers the live secret.
Related security tools
- UUID Generator — random v4 UUIDs when you need a standard 128-bit identifier format.
- Password Generator — random human-facing passwords rather than machine secrets.
- Hash Generator — hash a token with SHA-256 before storing it server-side.
- Password Strength Checker — measure entropy and crack time for any secret.
Frequently asked questions
How random are these tokens?
Should I choose hex, Base64, or Base64URL?
How many bytes should an API key or secret have?
Why does byte length matter more than character length?
Are these tokens generated privately?
Can I use these as session IDs or CSRF tokens?
Is a random token the same as a UUID?
How should I store the generated secret?
Related tools
More tools you might find useful in the same flow.
Password Generator
Free password generator using your browser's SubtleCrypto. Pick length, character classes, and exclude lookalikes. Passwords never leave the page.
PIN Generator
PIN generator — create random 4, 6, or 8 digit PIN numbers (or any length) with real cryptographic randomness, one at a time or in bulk. Free and instant.
TOTP Generator
TOTP generator online — create RFC 6238 time-based one-time passwords from a secret key, with a live countdown. The secret never leaves your browser.
Passphrase Generator
Diceware passphrase generator — create memorable, strong passphrases from a word list with adjustable length and separators. Generated locally, in private.
Built by Muhammad Tahir · About