Skip to main content
Back to Numbers generators

Numbers

Random Hex Token Generator

Used by developers, writers, and creators worldwide.

A random hex token generator creates fixed-length strings of hexadecimal characters used as unguessable identifiers in web apps, APIs, and auth flows. Password reset links, session IDs, webhook secrets, and API keys all rely on this pattern. Unlike UUIDs, hex tokens carry no version bits or imposed structure — just dense randomness sized to your exact entropy needs. This generator lets you set the token length (default 32 chars, giving 128-bit entropy), batch count, and an optional prefix like sk_ or whsec_. Bump the length to 64 for 256-bit API keys, add a prefix to mirror your production format, and copy a ready-to-use batch straight into your .env file or test fixtures.

Loading usage…

Free forever — no account required

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the Token Length field to the number of hex characters you need — 32 for standard 128-bit tokens, 64 for high-security API keys.
  2. Enter an optional prefix such as sk_, tok_, or whsec_ to match your application's naming convention.
  3. Set the Count field to how many tokens you need in one batch, then click Generate.
  4. Review the output list and copy individual tokens or select all to paste into your config file, fixture, or database seed script.

Use Cases

  • Seeding a Postgres staging database with 200 unique password-reset tokens for load testing
  • Populating a .env file with sk_-prefixed secret key placeholders before wiring up real server-side generation
  • Generating whsec_-prefixed webhook signing secrets to test Stripe-style payload validation in Postman
  • Creating CSRF token fixtures for Jest or Cypress integration tests covering form-submission flows
  • Mocking OAuth client secrets in a Docker Compose config to run a full auth flow locally

Tips

  • Match the prefix exactly to your production format — it makes secret-scanning tools like truffleHog and GitGuardian recognise leaked tokens automatically.
  • For short-lived OTP-style codes, 16 characters (64-bit) is sufficient if you enforce expiry under 10 minutes and rate-limit verification attempts.
  • Generate a batch of 20-30 tokens when seeding test databases rather than running the generator repeatedly — each run gives you fresh entropy with no repeats.
  • Pair 64-character tokens with an HMAC signing step on the server; the hex token becomes the secret key, making your authentication scheme two-layered.
  • Avoid odd-number lengths if you plan to decode the token as bytes — hex tokens decode cleanly only when the character count is even (each byte = 2 hex chars).
  • After generating, immediately store hashed versions (SHA-256) in your database rather than the raw token, so a DB leak doesn't expose usable credentials.

FAQ

how long should a hex token be for password resets and session ids

32 hex characters (128-bit entropy) is the widely accepted minimum for security-sensitive tokens like password reset links and session identifiers. If you're generating long-lived API keys or signing secrets, step up to 64 characters for 256-bit entropy. Short-lived OTPs can safely use 16 characters because a tight expiry window limits the brute-force window regardless.

what's the difference between a hex token and a uuid

A UUID follows a strict 8-4-4-4-12 format with version and variant bits embedded, so some bits are fixed rather than random — a v4 UUID yields roughly 122 bits of entropy. A hex token is pure random output with no imposed structure, letting you dial the length and entropy precisely. For most auth use-cases where you control the format, hex tokens are simpler and slightly denser.

can I use tokens from this generator directly in production

The length and prefix format are production-ready, but browser-side generators shouldn't be trusted as your sole entropy source for live credentials. For real production tokens, generate them server-side with crypto.randomBytes() in Node.js or secrets.token_hex() in Python. Use this tool to prototype token formats, build test fixtures, and validate your parsing logic before connecting server-side generation.