Does this tool send my data anywhere?

No. Everything runs in your browser via standard Web APIs. The page makes no network calls after the initial load.

Yes. No signup, no usage limits, no ads in the input form.

Does it work offline?

After the first visit, the service worker caches the assets so the tool keeps working without a connection.

Inputs are remembered locally in your browser via localStorage. They never leave your device.

Yes. Use the Copy or Share button on the result, or copy the page URL once you have entered values.

Home Token

SECURE token

ready

Generate cryptographically random tokens for API keys, session secrets, password salts, share links, anything. Uses the browser's CSPRNG (Web Crypto API) - never Math.random().

last reviewed 2026-04-27·client-side · 0 bytes sent

STDINinput

Format

Length (chars / words)

How many to generate

Prefix (optional)

[01] What makes a token "secure"?

A secure token is unpredictable - an attacker can't guess it faster than brute-forcing the entire keyspace. Two requirements:

Cryptographically secure source. Use crypto.getRandomValues() (browser) or crypto.randomBytes() (Node) - never Math.random(), which is predictable from a few outputs.
Enough entropy. A 16-byte (128-bit) random token has 2¹²⁸ possibilities - about the same as AES-128 keys. Anything below ~80 bits is brute-forceable by motivated attackers.

[02] Length recommendations

API keys: 32 chars base64url ≈ 192 bits. Plenty.
Session tokens: 32 bytes hex (64 hex chars) ≈ 256 bits. OWASP standard.
Email verification: 16-24 chars URL-safe. 100+ bits.
Password reset links: 24-32 chars URL-safe + short expiry (15-60 min).
One-time codes: 6-8 digits is fine for SMS OTP because of rate limiting; 100+ bits if no rate limit.

[03] About the formats

Hex: compact for hashes (which are already binary); 2 chars per byte.
Base64URL: URL-safe (uses -_ instead of +/), no padding by default. The standard for JWT, OAuth tokens.
Alphanumeric: 62 chars per character ≈ 5.95 bits. Safe for identifiers, file names.
URL slug: excludes ambiguous chars (0/O, 1/l/I) for human-typability.
Diceware words: 6 random English words ≈ 78 bits. Memorable for humans, unfriendly to brute force.

[04] Privacy

Generation happens entirely in your browser using the Web Crypto API. The tokens never leave the page; nothing is logged or sent anywhere.

STDOUToutput

Common questions

Is Secure Token Generator free to use?

Yes. The tool runs in your browser at no cost, with no signup required.

Where is the math performed?

Calculations run locally in your browser. Your inputs do not leave your device.

Are the rates and rules current?

We update sources when published rates change. For high-stakes decisions, verify against the official source linked on this page.

[01] What makes a token "secure"?

[02] Length recommendations

[03] About the formats

[04] Privacy

// RELATED

Common questions