VD
VisualDevTools
Advertisement
🔑

Random Token Generator

Generate cryptographically secure random tokens — hex, Base64url, alphanumeric, with prefixes for common API formats (sk_, ghp_, whsec_). Bulk generation, length presets, browser-only.

Advertisement

Tokens vs Strings vs UUIDs

"Random token" usually means an unguessable string used to authenticate a request, identify a session, or sign a payload. Three closely related tools, three different jobs:

  • Random Token Generator (this tool) — produces tokens in the formats real APIs use: 32-byte hex, Base64url, prefixed alphanumeric. Defaults are tuned for production auth.
  • Random String Generator — same CSPRNG, but flexible across length, charset, and quantity. Use it when you need a non-standard format (PIN codes, recovery codes, salt strings).
  • UUID Generator — produces RFC 4122 UUIDs (v4 random or v7 sortable). Use it for database primary keys and identifiers in distributed systems where you want a recognized, parseable format.

How Long Should a Token Be?

Token length is governed by entropy. Each byte gives 8 bits. Most modern services use 128–256 bits:

  • 16 bytes / 128 bits — session IDs, password reset tokens, email verification. The minimum for anything security-relevant. Express's express-session, Rails' session_id, and most JWT signing keys live here.
  • 24 bytes / 192 bits — comfortable middle ground for API tokens.
  • 32 bytes / 256 bits — webhook signing secrets (GitHub, Stripe, Slack), HMAC keys, master API keys. The safe default in 2026.
  • 64 bytes / 512 bits — long-lived signing keys, root credentials, anything where compromise would be catastrophic. Overkill for most cases.

Below 80 bits, tokens become brute-forceable by determined attackers. Don't use 8-character alphanumeric tokens for anything that matters.

Why Prefixes Matter

Stripe's secret keys start with sk_live_ or sk_test_. GitHub personal access tokens start with ghp_. Webhook signing secrets are whsec_. These prefixes do real work:

  • Identifiable in logs — if a token leaks into a stack trace, the prefix says immediately what kind of secret it is and where it came from.
  • Automatic leak scanning — GitHub's Secret Scanning feature looks for these prefixes in pushed code. If you accidentally commit sk_live_… to a public repo, GitHub notifies Stripe within minutes and Stripe revokes the key automatically. Same for AWS, Slack, and dozens of other services.
  • Rotation — when a service rotates one type of key, finding all places it's used is a simple find-and-replace on the prefix.

Storage and Handling

The token is only as secure as the place you put it. Hard rules:

  • Never commit tokens to git. Use .env files for local dev (with .env in .gitignore), and a secrets manager in production (AWS Secrets Manager, HashiCorp Vault, 1Password CLI, Doppler, Cloudflare Workers Secrets).
  • Rotate periodically. Once a year at minimum; every 90 days for high-value keys. Always rotate immediately after a suspected breach.
  • Use short-lived tokens where possible. Issue a new JWT every few minutes via OAuth refresh, rather than a single long-lived bearer token.
  • Log token prefixes, never full values. If you must log token usage, log the first 4–8 chars and the last 4 chars only.
  • Use HTTPS for transmission. Bearer tokens over HTTP are visible to anyone on the network path. There is no excuse for this in 2026.

Generating in Code

// Node.js
import { randomBytes } from 'crypto';
randomBytes(32).toString('hex');         // 64-char hex (256-bit)
randomBytes(32).toString('base64url');   // 43-char Base64url

// Python
import secrets
secrets.token_hex(32)        // 64-char hex
secrets.token_urlsafe(32)    // ~43-char Base64url

// Browser
const a = new Uint8Array(32);
crypto.getRandomValues(a);
[...a].map(b => b.toString(16).padStart(2,'0')).join('');

// Bash
openssl rand -hex 32
openssl rand -base64 32 | tr -d '=' | tr '+/' '-_'

For HMAC webhook secrets specifically formatted for GitHub/Stripe/Slack, use the dedicated Webhook Secret Generator.

How to Use

  1. Pick a preset — common formats are one click away.
  2. Or set bytes + format manually — choose any byte length 4–64 and one of five output formats.
  3. Add a prefix — like sk_live_ or ghp_ — to match your platform's convention.
  4. Click Generate — entropy is shown live; tokens come from crypto.getRandomValues().
  5. Copy and store securely — environment variable or secrets manager, never source code.

Frequently Asked Questions

How is this different from the Random String Generator?

The Random String Generator is general-purpose: any length, any charset. The Token Generator is tuned for the specific shapes of tokens used by APIs and auth systems — fixed-format presets (Stripe sk_, GitHub ghp_, webhook secrets, session IDs), correct entropy for each, and a default of one token at a time. Use this for production tokens; use the Random String Generator for ad-hoc strings or when you need an unusual format.

Are the tokens cryptographically secure?

Yes. Bytes come from crypto.getRandomValues() (Web Crypto API), which is a CSPRNG backed by your operating system's entropy source. This is the same primitive password managers and TLS libraries rely on. Math.random() is never used. Generation happens entirely in your browser tab — tokens are never transmitted to any server.

What format do most APIs expect?

Modern APIs use one of three formats. (1) Hex tokens (32 or 64 chars, 0–9 and a–f) — simplest, URL-safe, and used by GitHub HMAC signatures, OpenAI's older keys, AWS access secrets. (2) Base64url (22-43 chars, alphanumeric + - and _) — denser than hex (~33% shorter), used by JWT, Stripe webhook secrets, modern session IDs. (3) Prefixed alphanumeric (e.g., 'ghp_' + 36 alphanumeric) — Stripe and GitHub use this so tokens are immediately identifiable in logs and accidental leaks.

What's the right length?

128 bits of entropy is the industry standard for any non-trivial token: 32 hex chars, 22 Base64url chars, or 25 alphanumeric chars. For high-stakes tokens (master keys, signing keys), use 256 bits: 64 hex / 43 Base64url / 50 alphanumeric. For one-time codes and email verification tokens, 96 bits is enough. Don't go below 80 bits for anything security-related — collision and brute-force risks become realistic at low entropy.

Why do some services prefix their tokens (sk_, ghp_, whsec_)?

Three reasons. (1) Identification — when a token leaks into a log file or stack trace, the prefix tells the receiver immediately what kind of secret it is. (2) Detection — services like GitHub Secret Scanning use prefixes to find leaked credentials in public commits. (3) Rotation — different prefixes for different token types make it easy to find-and-replace specific kinds during a rotation.

How should I store these tokens?

Never in source code, never in commit history, never in plain-text config files committed to a repo. Use environment variables loaded from a .env file (in .gitignore) for local dev, and a secrets manager (1Password, AWS Secrets Manager, HashiCorp Vault, Doppler, Cloudflare Workers Secrets) for production. For tokens that authenticate your service against a third party (API keys), store them encrypted at rest and decrypt only when needed.

Comments

No comments yet. Be the first!