Generate random hex / base64 / alphanumeric tokens
A token is a string generated by a cryptographically secure random number generator, used for authentication, API access authorization, and session management. Unlike passwords, tokens are typically generated and managed automatically by systems, with higher randomness and entropy. A secure token must be unpredictable, unforgeable, and long enough to resist brute-force enumeration.
| Format | Charset | Use Case |
|---|---|---|
| Hex | 0-9a-f, 2 chars per byte |
Most universal, debug-friendly |
| Base64 | A-Za-z0-9+/ |
More compact |
| Base64URL | A-Za-z0-9-_ (no =) |
URL params, JWT |
Security requirement: Tokens must come from a CSPRNG (this tool uses crypto.getRandomValues()). Recommended minimum length is 128 bits (32 hex chars). Never use Math.random() or timestamps to generate security tokens.
Store tokens in environment variables (
.env) — never hardcode them in source code.
.env file or secret management serviceMinimum recommendation is 128 bits (32 hex chars), providing ~2¹²⁸ possibilities — infeasible to brute-force. For long-lived API keys, use 256 bits (64 hex chars) for additional security margin. Short-lived one-time tokens (e.g., email verification links) are fine at 128 bits.
All three encode the same random bytes with identical security. The difference is representation efficiency: 32 random bytes become 64 chars in Hex, 44 chars in Base64, and 44 chars in Base64URL — but Base64URL avoids +/= characters, making it safe to use directly in URLs without escaping.
Math.random() uses a pseudo-random algorithm (typically xorshift128+) whose internal state can be reverse-engineered. After observing a few outputs, an attacker can predict all subsequent values. crypto.getRandomValues() draws from the OS entropy pool (hardware noise, etc.), producing unpredictable output.