AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Generate cryptographically secure random tokens in multiple formats.
| Format | Character Set | Output Length (32 bytes) | Use Case |
|---|---|---|---|
| Hex | 0-9 a-f | 64 chars | API keys, hash representations |
| Base64 | A-Z a-z 0-9 + / = | 44 chars | Secret keys, tokens (compact) |
| Base64 URL Safe | A-Z a-z 0-9 - _ | 43 chars | URL-safe tokens, JWT secrets |
| Alphanumeric | A-Z a-z 0-9 | varies | Human-readable tokens, OTP |
| Numeric | 0-9 | varies | PIN codes, OTP digits |
| UUID v4 | 0-9 a-f (fixed format) | 36 chars | Database IDs, unique identifiers |
The security of a random token depends on its entropy, which is determined by the character set size and the token length. More entropy means more possible combinations and higher resistance to brute-force attacks.
| Format | Charset Size | Default Entropy (32 bytes) | Crack Time (1B/s) |
|---|---|---|---|
| Hex | 16 | 256 bits | Centuries+ |
| Base64 | 64 | 256 bits | Centuries+ |
| Alphanumeric | 62 | ~152 bits | Centuries+ |
| Numeric | 10 | ~106 bits | Centuries+ |
| UUID v4 | 16 (122 bits) | 122 bits | Centuries+ |
Yes. This tool uses the Web Crypto API's crypto.getRandomValues() method, which is backed by the operating system's cryptographically secure random number generator (CSPRNG). The generated tokens are suitable for API keys, session tokens, CSRF tokens, and other security-sensitive applications.
For API keys, a minimum of 128 bits of entropy is recommended. This corresponds to a 32-character hex token (32 bytes = 256 bits). If using Base64, aim for at least 24 bytes (32 characters). Most major API providers (Stripe, GitHub, etc.) use tokens in the 32–48 byte range.
UUID v4 follows a specific format (xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx) where certain bits are fixed for version identification. This gives UUID v4 exactly 122 bits of randomness. Random tokens from other formats can have higher or lower entropy depending on length.
Standard Base64 includes + and / characters, which need URL-encoding when used in URLs. The URL-safe variant replaces these with - and _, making tokens safe for use in URLs, filenames, and HTTP headers without escaping.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026