Skip to content

Random Token Generator

Generate cryptographically secure random tokens and API keys in various formats

API Keys That Can’t Be Guessed

Stripe prefixes theirs with sk_live_. GitHub uses ghp_ for personal access tokens. AWS access keys start with AKIA. Behind every one of those prefixes is a long string of cryptographically random characters that makes the key impossible to predict.

If your API key was generated with Math.random(), you’ve got a problem. JavaScript’s Math.random() uses a PRNG (pseudo-random number generator) that’s seeded from a predictable state. Given enough output, an attacker can reverse-engineer the seed and predict future values. That’s why security-sensitive tokens need crypto.getRandomValues(), which pulls from the operating system’s entropy pool — the same source TLS and SSH use.

This tool generates tokens in hex, Base64 URL-safe, alphanumeric, or UUID-like formats. You can set the length, add a prefix, and generate batches. Everything happens in your browser.

Picking the Right Format and Length

Hex (0-9, a-f) gives you 4 bits of entropy per character. A 32-character hex token = 128 bits of entropy. Simple, no encoding issues, works everywhere.

Base64 URL-safe (A-Z, a-z, 0-9, -, _) gives you about 6 bits per character. More entropy per character means shorter tokens for the same security level. A 22-character Base64 token gives you roughly 128 bits.

Alphanumeric (A-Z, a-z, 0-9) gives you about 5.95 bits per character. Nearly the same density as Base64 but without the - and _ characters, which some systems don’t handle well.

For API keys, OWASP recommends at least 128 bits of entropy. For session tokens, also 128 bits minimum. If you’re paranoid (and you should be), go with 256 bits — a 64-character hex token or a 43-character Base64 token.

The Prefix Convention

Stripe’s sk_live_ and sk_test_ prefixes aren’t just cosmetic. They serve two critical purposes:

  1. Secret detection. Tools like GitHub’s secret scanning, trufflehog, and git-secrets pattern-match on prefixes to flag accidentally committed keys. If your tokens have a recognizable prefix, these tools can catch leaks in pull requests before they hit production.

  2. Key identification. When you’re debugging an auth failure, seeing pk_ vs sk_ immediately tells you whether someone’s using the publishable key where the secret key is needed, or vice versa.

Add a prefix like sk_, pk_, api_, test_, or whsec_ (for webhook secrets) depending on your key’s purpose.

Real Scenarios

Webhook secrets. You’re setting up a Stripe webhook. You need a shared secret so your server can verify that incoming webhook payloads actually came from Stripe (via HMAC). Generate a 64-character hex token here, configure it in your Stripe dashboard, and use the HMAC Generator on Toolsvu to test signature verification.

Session identifiers. Your Express app needs session IDs. A 64-character hex token gives 256 bits of randomness — way more than the 128-bit OWASP minimum. Session hijacking becomes practically impossible.

Database seed tokens. You need 50 realistic API keys for your staging database. Set the count to 50, add a prefix, generate, and paste the batch into your seed script.

For standardized UUID-format identifiers, the UUID Generator handles that. For human-readable passwords, the Password Generator is the right tool. Tokens generated here stay in your browser and never touch a server.

token api-key random generator security crypto

Related Tools

More in Security Tools