Random Token Generator
Generate cryptographically secure random tokens in multiple formats.
- Home
- > Hash & Security >
- Random Token Generator
Configuration
Generated Tokens
Token Format Reference
| Format | Character Set | Output Length (32 bytes) | Use Case |
|---|---|---|---|
| Hex | 0-9 a-f | 64 chars | API keys, hash representations |
| Base64 | A-Z a-z 0-9 + / = | 44 chars | Secret keys, tokens (compact) |
| Base64 URL Safe | A-Z a-z 0-9 - _ | 43 chars | URL-safe tokens, JWT secrets |
| Alphanumeric | A-Z a-z 0-9 | varies | Human-readable tokens, OTP |
| Numeric | 0-9 | varies | PIN codes, OTP digits |
| UUID v4 | 0-9 a-f (fixed format) | 36 chars | Database IDs, unique identifiers |
Understanding Token Entropy
The security of a random token depends on its entropy, which is determined by the character set size and the token length. More entropy means more possible combinations and higher resistance to brute-force attacks.
| Format | Charset Size | Default Entropy (32 bytes) | Crack Time (1B/s) |
|---|---|---|---|
| Hex | 16 | 256 bits | Centuries+ |
| Base64 | 64 | 256 bits | Centuries+ |
| Alphanumeric | 62 | ~152 bits | Centuries+ |
| Numeric | 10 | ~106 bits | Centuries+ |
| UUID v4 | 16 (122 bits) | 122 bits | Centuries+ |
Frequently Asked Questions
Is this token generator cryptographically secure?
Yes. This tool uses the Web Crypto API's crypto.getRandomValues() method, which is backed by the operating system's cryptographically secure random number generator (CSPRNG). The generated tokens are suitable for API keys, session tokens, CSRF tokens, and other security-sensitive applications.
How long should an API key be?
For API keys, a minimum of 128 bits of entropy is recommended. This corresponds to a 32-character hex token (32 bytes = 256 bits). If using Base64, aim for at least 24 bytes (32 characters). Most major API providers (Stripe, GitHub, etc.) use tokens in the 32–48 byte range.
What is the difference between UUID v4 and random tokens?
UUID v4 follows a specific format (xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx) where certain bits are fixed for version identification. This gives UUID v4 exactly 122 bits of randomness. Random tokens from other formats can have higher or lower entropy depending on length.
Why use Base64 URL Safe?
Standard Base64 includes + and / characters, which need URL-encoding when used in URLs. The URL-safe variant replaces these with - and _, making tokens safe for use in URLs, filenames, and HTTP headers without escaping.
