Why shouldn't I use Math.random() for tokens?

`Math.random()` is a pseudorandom number generator (PRNG) seeded with a predictable value and designed for statistical distribution, not security. Its output can be predicted given enough observations, and many PRNG implementations have been broken by attackers who reverse-engineered the seed from observable outputs. `crypto.getRandomValues()` draws from OS entropy — hardware events, timing jitter, thermal noise — making it cryptographically unpredictable even to an observer watching previous outputs.

How many bits of entropy do I need for a secure API key?

OWASP recommends a minimum of 128 bits of entropy for API keys and session tokens. At 128 bits, brute-forcing all possible values would require more attempts than current computing infrastructure can perform in any realistic timeframe. For long-lived credentials (API keys valid for months or years) or high-value targets, 256 bits provides a comfortable security margin against future advances in computing power.

Are the tokens generated by this tool truly unique?

In practice, yes. A 128-bit random token has 2^128 ≈ 3.4 × 10^38 possible values. The probability of two tokens colliding is astronomically small — less than the probability of a random cosmic ray flipping a bit in your CPU's registers. For practical purposes, every 128-bit CSPRNG token generated is globally unique. For systems requiring formal uniqueness guarantees (like database primary keys), consider using UUID v4 or ULID instead.

OmniToolsKit

Token Generator

Name: Token Generator
Rating: 5 (2 reviews)
Author: OmniToolsKit

Generate secure tokens

Custom LengthCustom CharsetBulk GenerationSecure Random

Configuration

Customize your token generation settings

Token Length (bytes)

Output Format

About this tool

Generate cryptographically secure random tokens, API keys, JWT secrets, and session IDs directly in your browser. This token generator uses the Web Crypto API's CSPRNG (cryptographically secure pseudorandom number generator) to produce tokens suitable for authentication, authorization, and security-critical applications.

About

Cryptographically Secure Token and API Key Generator

Secure random tokens are the foundation of API authentication, session management, CSRF protection, password reset links, and email verification flows. A token is only secure if it is generated using a cryptographically secure random number generator (CSPRNG) — using `Math.random()` or other non-cryptographic PRNGs produces predictable output that attackers can enumerate.

This tool generates tokens using the Web Crypto API's `crypto.getRandomValues()`, which draws entropy from the operating system's CSPRNG (the same source used by `/dev/urandom` on Linux and `CryptGenRandom` on Windows). Generated tokens have full entropy — every bit is independently random — making them resistant to prediction, enumeration, and brute-force attacks.

Common output formats include hex (for database storage and URL parameters), base64 (for HTTP headers and JWT secrets), base64url (for URL-safe tokens without padding), and raw byte arrays. All generation runs entirely in your browser — tokens are never transmitted to or logged on any server.

What makes it unique

Entropy Sizing — How Long Should Your Token Be?

Token security is measured in bits of entropy, not character count. A 128-bit random token (32 hex characters, or 22 base64url characters) provides 2^128 possible values — considered computationally infeasible to brute-force even with nation-state resources. OWASP recommends at least 128 bits of entropy for session tokens and API keys. For JWT signing secrets and long-lived credentials, 256 bits (64 hex characters, 43 base64url characters) provides an additional security margin against advances in computing power.

Common Use Cases for Token Generator

Generating API Keys for Authentication

Create random API keys in hex or base64url format with 128–256 bits of entropy for use in REST API authentication headers and developer portals.

Creating JWT Signing Secrets

Generate 256-bit random secrets for signing JSON Web Tokens (HS256/HS512) to prevent JWT forgery attacks caused by weak or predictable signing keys.

Password Reset and Email Verification Tokens

Produce single-use secure tokens for password reset links and email verification emails, ensuring they cannot be guessed or enumerated by attackers.

How to Use

1
Choose Token Length and Format
Select the output bit length (128, 192, or 256 bits are common choices) and format — hex for database storage, base64url for URL-safe tokens, or base64 for HTTP headers. The character count updates automatically based on your selections.
2
Generate and Copy the Token
Click Generate to produce a new cryptographically random token using the Web Crypto CSPRNG. Each click generates a completely independent token. Copy it to clipboard with a single click for immediate use in your configuration or code.
3
Use the Token in Your Application
Paste hex tokens directly into `.env` files, API key fields, or database records. Use base64url tokens in URL query parameters without additional encoding. JWT secrets can be set directly as `JWT_SECRET` environment variables.

Features

Web Crypto API CSPRNG
Uses `crypto.getRandomValues()` for full-entropy token generation — the same cryptographic quality source used by OS-level secure random number generators.
Multiple Output Formats
Generate tokens in hex, base64, base64url (URL-safe, no padding), or binary formats to match the requirements of different authentication systems and protocols.
Configurable Bit Length
Choose from standard entropy sizes (128-bit for session tokens, 256-bit for signing keys) or enter a custom byte count for specialized security requirements.

Frequently Asked Questions

Found this tool useful?

Share your experience and help others discover it.