๐Ÿฆ IP Animals
๐Ÿ” Generators & Security

Random Token / API Key Generator

Generate cryptographically-random tokens and API keys in hex, base64url or alphanumeric form. Choose the byte length and how many you need. Everything is generated locally in your browser and never transmitted.

About secure tokens and API keys

A token or API key is just a long, unguessable string that proves the bearer is allowed to do something โ€” call an API, resume a session, or reset a password. Its whole security rests on being unpredictable, which means it must come from a cryptographically secure random source, not a shuffled word list or a timestamp.

This tool draws raw bytes from crypto.getRandomValues() and then encodes them:

  • Hexadecimal โ€” two characters per byte, using 0โ€“9 and aโ€“f. Simple and unambiguous.
  • Base64url โ€” compact and URL-safe, using Aโ€“Z aโ€“z 0โ€“9 - _ with no padding, ideal for query strings and headers.
  • Alphanumeric โ€” letters and digits only, generated by unbiased rejection sampling, for places where symbols cause trouble.
๐Ÿ”’ Generated locally โ€” never transmitted

Your tokens are created in your own browser and displayed only here. They are never sent to a server, logged, or stored. Once you navigate away they are gone. That means you get a fresh, private secret without trusting a remote service.

Picking a length

For most identifiers, 16 bytes (128 bits) is plenty. For API keys and long-lived secrets, 32 bytes (256 bits) is a strong, common default. When in doubt, more entropy never hurts. Remember to store secrets hashed where possible and to rotate them if they leak.

These tokens travel safely to servers over TLS/SSL-encrypted connections. If you need a signed message rather than a random secret, see the HMAC generator; for standardised identifiers, the UUID generator is a better fit.

Frequently asked questions

Are these tokens safe to use as API keys?

Yes. Every byte comes from crypto.getRandomValues, the browser's cryptographically secure random number generator, so the tokens are unpredictable and suitable for API keys, session identifiers and reset tokens. A 32-byte token has 256 bits of entropy.

What is the difference between hex, base64url and alphanumeric?

They encode the same random bytes differently. Hex uses 0โ€“9 and aโ€“f (two characters per byte). Base64url is more compact and URL-safe, using Aโ€“Z aโ€“z 0โ€“9 - _. Alphanumeric uses only letters and digits, which is handy where symbols cause trouble.

Is anything sent to a server?

No. Tokens are generated entirely in your browser and shown only on this page. Nothing is uploaded, logged, or stored โ€” you can even generate tokens offline.

How many bytes should I use?

16 bytes (128 bits) is fine for most identifiers; 32 bytes (256 bits) is a strong default for API keys and secrets. Use 64 bytes when you want a very large margin.

Want the theory? Read the guides โ†’ ยท Visit the zoo โ†’