Skip to main content
Back to Numbers generators

Numbers

Secure Random Token Generator

A secure random token generator is the fastest way to produce high-entropy strings for API keys, session identifiers, invite links, and test fixtures. Pick from five character sets — lowercase hex, uppercase hex, base36, base62, or numeric — set the exact length your system expects, and generate up to several tokens at once. The dash-separator option groups characters every 4 or 8 positions, turning a raw 32-character string into a readable license key or activation code that humans can actually type without errors. One caveat: this tool runs in the browser and is best suited for mock data, staging environments, and prototyping rather than production secrets.

Read the complete guide — 4 min read

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the Count field to the number of tokens you need — up to the available maximum.
  2. Set the Length field to match your system's requirement (32 for most API keys, 6 for PIN codes).
  3. Choose a charset from the Format dropdown: hex for crypto contexts, base62 for URLs, numeric for PINs.
  4. Optionally pick a dash separator (every 4 or 8 chars) if the token will be read or typed by humans.
  5. Click Generate, then copy individual tokens or the full list into your project, spreadsheet, or database.

Use Cases

  • Generating 20 base62 invite tokens to seed a SaaS beta launch table in Postgres
  • Producing dash-separated uppercase hex strings formatted as software license keys for QA review
  • Creating 6-digit numeric PINs to mock SMS two-factor authentication flows in Cypress tests
  • Supplying random CSRF token values when testing form submission security in Postman collections
  • Building base36 referral slugs that are case-insensitive and safe for users to type manually

Tips

  • For license keys, use uppercase hex with a dash every 4 characters and a length of 16 — giving the classic XXXX-XXXX-XXXX-XXXX format.
  • Base62 at length 22 gives you the same 128 bits of entropy as 32 hex characters, saving space in URLs and QR codes.
  • Generate 20-30 tokens at once when seeding a test database — far faster than re-clicking for each row.
  • Avoid numeric-only tokens shorter than 8 digits for any web-facing code; a 6-digit PIN has only 1 million combinations and is trivially brute-forced without rate limiting.
  • When copying tokens for a .env file, use no separator and hex or base62 — many config parsers choke on dashes inside variable values.
  • Use base36 over base62 when the token will appear in printed materials or be typed by non-technical users — removing uppercase prevents a/A and 0/O confusion.

FAQ

hex vs base62 tokens — which should I use?

Hex (0–9, a–f) is the standard for crypto output and works directly with libraries that expect SHA hashes or AES keys — a 32-char hex token carries 128 bits of entropy. Base62 (0–9, A–Z, a–z) fits the same entropy into fewer characters and is URL-safe without percent-encoding, making it better for invite links, coupon codes, and short identifiers embedded in URLs.

are the tokens from this generator safe to use in production

Yes — this tool now uses the Web Crypto API (crypto.getRandomValues), a cryptographically secure random source, with unbiased rejection sampling, so tokens generated here are suitable for client-side use such as CSRF tokens or nonces. For server-issued secrets like session tokens and API keys, still generate them server-side with your platform's crypto (for example Node's crypto.randomBytes) so the secret never touches the browser.

how long should a token be for an api key or reset link

128 bits of entropy is the accepted security floor — that's 32 hex characters or about 22 base62 characters. Most API keys and session tokens use 32–64 hex characters to stay well above that bar. For low-risk use cases like voucher codes or referral slugs, 12–16 characters is usually enough to resist brute-force guessing.

What is a secure random token used for?

Secure random tokens back session identifiers, API keys, password-reset and email-verification links, CSRF tokens, and nonces — anywhere a value must be unguessable so an attacker cannot forge or predict it. The generator produces high-entropy tokens from a cryptographically secure source in several formats, so you get unpredictable values; for server-side secrets, generate them on the server so they are never exposed to the client.

How much entropy does a token need?

The widely accepted floor is 128 bits of entropy — that is 32 hexadecimal characters or about 22 Base62 characters — which makes brute-forcing infeasible; sensitive secrets often use 256 bits. The generator lets you set the length, so choose at least 32 hex characters for security-critical tokens, and remember that entropy comes from the random source (now crypto-grade here) as well as the length.

You might also like

Popular tools from other categories that share themes with this one.

Try these next

More free tools from other corners of the catalog, picked by shared themes.