Skip to main content
Back to Dev generators

Dev

Random Base64 String Generator

Picking the right byte length for a cryptographic secret or encoded token is not obvious, and writing the generation code from scratch every time is repetitive. This generator closes both gaps: set the byte length, choose how many strings to produce, and optionally switch to URL-safe mode — all output comes from the browser's cryptographically secure crypto.getRandomValues API. The Byte Length field directly controls entropy. Use 16 bytes (128 bits) for session nonces and CSRF tokens. Use 32 bytes (256 bits) for HMAC-SHA256 JWT signing secrets, AES-256 keys, and general-purpose API credentials. Use 64 bytes (512 bits) for HS512 JWT secrets or high-value long-lived tokens. The resulting Base64 strings will be approximately 4/3 the byte count in characters — 32 bytes becomes 43 characters, 64 bytes becomes 86. The URL-Safe toggle replaces the standard + and / characters with - and _ (RFC 4648 §5), making output safe for JWT headers, S3 object keys, cookie values, and query parameters without percent-encoding. The How Many field produces a batch in one operation, useful for seeding .env files across multiple services or generating fixture tokens for a large test suite.

Read the complete guide — 4 min read

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the Byte Length field to the number of random bytes you need — 32 for JWT secrets, 16 for session tokens.
  2. Set How Many to the number of strings you want generated in one batch.
  3. Choose URL-Safe Base64 if the strings will appear in URLs, cookies, filenames, or JWT headers.
  4. Click Generate to produce the list of Base64-encoded strings.
  5. Click any string or use the copy button to grab it for your .env file, config, or test fixture.

Use Cases

  • Generating 32-byte HMAC-SHA256 JWT signing secrets for Node.js Express or FastAPI apps
  • Populating .env files with AES-256 encryption keys during local Docker Compose setup
  • Seeding a Postgres fixture file with unique Base64 session tokens for 50 mock users
  • Creating URL-safe refresh tokens for OAuth 2.0 flows tested in Postman or Insomnia
  • Batch-generating API key values to populate a CI pipeline's GitHub Actions secret matrix

Tips

  • For AES-256 keys, always use exactly 32 bytes — other lengths will require padding or truncation in most libraries.
  • URL-safe mode is the safer default for new projects; it works everywhere standard Base64 works but avoids URL escaping bugs.
  • Generate a fresh batch of 10 strings and keep them in a local scratch file as a reserve for spinning up new services quickly.
  • Avoid reusing the same Base64 secret across environments — generate separate strings for dev, staging, and production.
  • If your framework expects Base64 without padding, most URL-safe generators strip the trailing `=` — verify your library's expectations before use.
  • When seeding test databases, use 16 bytes for token columns — it balances entropy with storage efficiency in VARCHAR fields.

FAQ

what byte length should I use for a JWT secret or API key

Use 32 bytes (256 bits) for HMAC-SHA256 (HS256) JWT signing — it matches the hash output size and is the widely accepted minimum. For HS512 or high-value API keys, go to 64 bytes. The resulting Base64 string will be 43 characters (32 bytes, padding stripped) or 86 characters (64 bytes).

what is the difference between standard and url-safe base64

Standard Base64 uses + and /, which are reserved characters in URLs and must be percent-encoded in query strings or cookies. URL-safe Base64 (RFC 4648 §5) replaces them with - and _, so the string works directly in JWTs, S3 object keys, filenames, and query parameters without extra escaping. Enable URL-safe mode unless you have a specific reason to use the standard alphabet.

are these base64 strings safe to use as real secrets in production

The underlying bytes come from crypto.getRandomValues, which is the browser's cryptographically secure random source, so the entropy is production-grade. That said, treat any generated secret with care: store it immediately in a secrets manager like AWS Secrets Manager or HashiCorp Vault rather than leaving it in browser history or a plaintext file.

how does the byte length relate to the length of the output string

Base64 encodes every 3 bytes as 4 characters, so the output length is approximately ceil(bytes / 3) * 4 characters. For 32 bytes that is 44 characters in standard mode (43 without padding), and 86 characters for 64 bytes. URL-safe mode omits the trailing = padding characters, producing slightly shorter strings.

You might also like

Popular tools from other categories that share themes with this one.

Try these next

More free tools from other corners of the catalog, picked by shared themes.