Secure Token Generator

Cryptographically random tokens for auth systems

Generate cryptographically secure random tokens in hex, base64, and base64url encodings at any byte length. Built on the Web Crypto API and runs entirely in your browser, ideal for session IDs, CSRF tokens, API keys, and password-reset links. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Is this random secure enough for production?

Yes. The tool uses crypto.getRandomValues from the Web Crypto API, the browser's cryptographically secure pseudo-random number generator. It is suitable for session tokens, CSRF tokens, and reset links, unlike Math.random which must never be used for secrets.

A secure token is a string of unguessable random data used to authenticate or identify a request — session identifiers, CSRF tokens, API keys, password-reset links, and email-verification codes all rely on them. The single most important property is that the value must come from a cryptographically secure random source. This tool generates tokens using the browser’s Web Crypto API, so every value is suitable for real authentication systems, and nothing ever leaves your device.

How it works

The generator draws random bytes directly from crypto.getRandomValues, the browser’s cryptographically secure pseudo-random number generator (CSPRNG). It then encodes those raw bytes into a text form you can paste into code:

  1. Allocate a Uint8Array of the byte length you chose.
  2. Fill it with crypto.getRandomValues(bytes).
  3. Encode the bytes as hex, standard base64, or URL-safe base64url.

Critically, this never uses Math.random, which is predictable and must never be used for anything security-sensitive. A token built from 32 secure random bytes has 256 bits of entropy — far beyond brute-force reach.

Encodings and sizes

  • Hex doubles the byte count in characters (32 bytes = 64 hex chars) and is the easiest to read, but least compact.
  • Base64 is compact (about 4 characters per 3 bytes) and standard for HTTP headers and cookies.
  • Base64url swaps +/ for -_ and removes = padding so the token is safe to embed directly in URLs and filenames without percent-encoding.

Choosing the right byte length

Use caseRecommended bytesWhy
CSRF tokens32 bytes256-bit space; standard recommendation
Session IDs32 bytesSame — cookie or header transport
Password-reset links32–48 bytesShould expire quickly; 32 is fine
Long-lived API keys32–64 bytesMore bytes provides deeper margin
Low-risk identifiers16 bytes128-bit entropy; adequate for most

Going below 16 bytes risks collision in large-scale systems. Going above 64 bytes has no practical security benefit and wastes storage.

Common mistakes

Using Math.random. This is not cryptographically secure. Node.js’s crypto.randomBytes, Python’s secrets.token_hex, and the browser’s crypto.getRandomValues are correct; Math.random is never acceptable for security-sensitive tokens.

Storing tokens in plaintext. Password-reset tokens and one-time codes stored in plain text in a database can be read by anyone with database access. Hash them with SHA-256 before storage — the link carries the raw token, the database holds the hash.

Reusing tokens. Each token should be single-use. Mark reset and verification tokens as used the moment they are consumed, so replaying an intercepted token does nothing.

For session and anti-CSRF tokens, 32 bytes is a strong, conventional choice. Always store generated secrets in a secure secret manager, never in source control, and rotate them if exposure is suspected.