Random Token / API Key Generator
Generate cryptographically-random tokens and API keys in hex, base64url or alphanumeric form. Choose the byte length and how many you need. Everything is generated locally in your browser and never transmitted.
About secure tokens and API keys
A token or API key is just a long, unguessable string that proves the bearer is allowed to do something โ call an API, resume a session, or reset a password. Its whole security rests on being unpredictable, which means it must come from a cryptographically secure random source, not a shuffled word list or a timestamp.
This tool draws raw bytes from crypto.getRandomValues() and then encodes them:
- Hexadecimal โ two characters per byte, using
0โ9andaโf. Simple and unambiguous. - Base64url โ compact and URL-safe, using
AโZ aโz 0โ9 - _with no padding, ideal for query strings and headers. - Alphanumeric โ letters and digits only, generated by unbiased rejection sampling, for places where symbols cause trouble.
Your tokens are created in your own browser and displayed only here. They are never sent to a server, logged, or stored. Once you navigate away they are gone. That means you get a fresh, private secret without trusting a remote service.
Picking a length
For most identifiers, 16 bytes (128 bits) is plenty. For API keys and long-lived secrets, 32 bytes (256 bits) is a strong, common default. When in doubt, more entropy never hurts. Remember to store secrets hashed where possible and to rotate them if they leak.
These tokens travel safely to servers over TLS/SSL-encrypted connections. If you need a signed message rather than a random secret, see the HMAC generator; for standardised identifiers, the UUID generator is a better fit.
Frequently asked questions
Are these tokens safe to use as API keys?
Yes. Every byte comes from crypto.getRandomValues, the browser's cryptographically secure random number generator, so the tokens are unpredictable and suitable for API keys, session identifiers and reset tokens. A 32-byte token has 256 bits of entropy.
What is the difference between hex, base64url and alphanumeric?
They encode the same random bytes differently. Hex uses 0โ9 and aโf (two characters per byte). Base64url is more compact and URL-safe, using AโZ aโz 0โ9 - _. Alphanumeric uses only letters and digits, which is handy where symbols cause trouble.
Is anything sent to a server?
No. Tokens are generated entirely in your browser and shown only on this page. Nothing is uploaded, logged, or stored โ you can even generate tokens offline.
How many bytes should I use?
16 bytes (128 bits) is fine for most identifiers; 32 bytes (256 bits) is a strong default for API keys and secrets. Use 64 bytes when you want a very large margin.
Want the theory? Read the guides โ ยท Visit the zoo โ