Is this random secure enough for production?

Yes. The tool uses crypto.getRandomValues from the Web Crypto API, the browser's cryptographically secure pseudo-random number generator. It is suitable for session tokens, CSRF tokens, and reset links, unlike Math.random which must never be used for secrets.

How many bytes should a token be?

For session and CSRF tokens, 32 bytes (256 bits) is a widely recommended minimum. Shorter 16-byte tokens are acceptable for low-risk identifiers, while sensitive long-lived secrets may use 48 or 64 bytes.

What is the difference between base64 and base64url?

Standard base64 uses the characters plus and slash and may include equals padding, which are unsafe in URLs. Base64url replaces them with hyphen and underscore and drops padding, making the token safe to drop directly into a URL or filename.

Are the tokens sent anywhere?

No. Generation happens entirely in your browser and no token is logged, transmitted, or stored on any server. Treat the values as live secrets and store them securely.

Why does hex look twice as long as the byte count?

Hexadecimal encodes each byte as two characters, so 32 bytes become a 64-character string. Base64 is more compact, encoding roughly every 3 bytes as 4 characters.

Secure Token Generator

A secure token is a string of unguessable random data used to authenticate or identify a request — session identifiers, CSRF tokens, API keys, password-reset links, and email-verification codes all rely on them. The single most important property is that the value must come from a cryptographically secure random source. This tool generates tokens using the browser’s Web Crypto API, so every value is suitable for real authentication systems, and nothing ever leaves your device.

How it works

The generator draws random bytes directly from crypto.getRandomValues, the browser’s cryptographically secure pseudo-random number generator (CSPRNG). It then encodes those raw bytes into a text form you can paste into code:

Allocate a Uint8Array of the byte length you chose.
Fill it with crypto.getRandomValues(bytes).
Encode the bytes as hex, standard base64, or URL-safe base64url.

Critically, this never uses Math.random, which is predictable and must never be used for anything security-sensitive. A token built from 32 secure random bytes has 256 bits of entropy — far beyond brute-force reach.

Encodings and sizes

Hex doubles the byte count in characters (32 bytes = 64 hex chars) and is the easiest to read.
Base64 is compact (about 4 characters per 3 bytes) and standard for headers and cookies.
Base64url swaps +/ for -_ and removes = padding so the token is safe inside URLs and filenames.

For session and anti-CSRF tokens, 32 bytes is a strong, conventional choice. Always store generated secrets in a secure secret manager, never in source control, and rotate them if exposure is suspected.