My Tools Garage

Secure Random Token

Generate cryptographically strong random tokens.

in-browser

How to use

  1. 1 Set the token length (number of characters).
  2. 2 Choose a character set: alphanumeric, hex, Base58, numeric or URL-safe.
  3. 3 Read the generated token and its approximate entropy.
  4. 4 Click Regenerate for a new one, then copy it.

About Secure Random Token

A secure random token is a string of unpredictable characters used as an API key, session identifier, password-reset link, CSRF token or one-time secret.

The crucial word is unpredictable: tokens made with ordinary Math.random are guessable and have repeatedly led to account-takeover bugs.

This generator instead draws from the browser’s Web Crypto CSPRNG, the same source recommended for cryptographic keys, so the output is genuinely hard to predict.

You control two things.

Length sets how many characters the token has, from 4 up to 512 — longer means more entropy and a smaller chance of collision.

The character set decides which symbols appear: alphanumeric for general use, hex for fixed-width identifiers, Base58 (which omits the look-alike characters 0, O, I and l) for tokens people might transcribe by hand, plain numeric for codes, or a URL-safe set for values that travel in links.

The tool samples each character with rejection sampling so the distribution is perfectly uniform and no symbol is subtly over-represented, and it shows the approximate entropy in bits so you can judge strength at a glance.

Everything happens locally; the token is generated in your browser and never sent anywhere, so it is safe to create production secrets here.

Generate a fresh one with a click whenever you need it.

FAQ

Is this random enough for security?

Yes. It uses the Web Crypto getRandomValues CSPRNG, the standard source for cryptographic randomness, and uses rejection sampling so every character is equally likely.

How long should my token be?

For API keys and session IDs aim for at least 128 bits of entropy. The badge under each token shows its bit-strength so you can pick a length that clears that bar.

Why does Base58 leave out some characters?

Base58 drops 0, O, I and l because they are easy to confuse when read or typed, which makes tokens safer to copy by hand.