Secure Token Generator
Generate cryptographically random tokens for API keys, session secrets, password salts, share links, anything. Uses the browser's CSPRNG (Web Crypto API) — never Math.random().
What makes a token "secure"?
A secure token is unpredictable — an attacker can't guess it faster than brute-forcing the entire keyspace. Two requirements:
- Cryptographically secure source. Use
crypto.getRandomValues()(browser) orcrypto.randomBytes()(Node) — neverMath.random(), which is predictable from a few outputs. - Enough entropy. A 16-byte (128-bit) random token has 2128 possibilities — about the same as AES-128 keys. Anything below ~80 bits is brute-forceable by motivated attackers.
Length recommendations
- API keys: 32 chars base64url ≈ 192 bits. Plenty.
- Session tokens: 32 bytes hex (64 hex chars) ≈ 256 bits. OWASP standard.
- Email verification: 16-24 chars URL-safe. 100+ bits.
- Password reset links: 24-32 chars URL-safe + short expiry (15-60 min).
- One-time codes: 6-8 digits is fine for SMS OTP because of rate limiting; 100+ bits if no rate limit.
About the formats
- Hex: compact for hashes (which are already binary); 2 chars per byte.
- Base64URL: URL-safe (uses
-_instead of+/), no padding by default. The standard for JWT, OAuth tokens. - Alphanumeric: 62 chars per character ≈ 5.95 bits. Safe for identifiers, file names.
- URL slug: excludes ambiguous chars (0/O, 1/l/I) for human-typability.
- Diceware words: 6 random English words ≈ 78 bits. Memorable for humans, unfriendly to brute force.
Privacy
Generation happens entirely in your browser using the Web Crypto API. The tokens never leave the page; nothing is logged or sent anywhere.