Skip to main content
Back to Numbers generators

Numbers

Random Bytes Hex Generator

A random bytes hex generator lets you produce hex-encoded byte strings for tokens, keys, salts, and nonces without writing any code. Each output mirrors what you'd get from Node.js crypto.randomBytes() or Python's os.urandom() — two hex characters per byte, so 16 bytes gives you a 32-character string carrying 128 bits of entropy. That's enough for most session tokens and CSRF values. Need 256-bit strength for an API secret or JWT signing key? Switch to 32 bytes. You can generate up to a batch at a time, choose your byte length, and control how individual bytes appear: no separator for copy-paste-ready strings, colon-separated for TLS fingerprint style, or dash-separated for readability in logs and docs.

Read the complete guide — 4 min read

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the 'Number of bytes' field to your target length — 16 for 128-bit tokens, 32 for 256-bit secrets.
  2. Set 'How many' to the number of unique hex strings you need in a single batch.
  3. Choose a separator: none for raw code-ready strings, colon for MAC-style readability, or space for easy visual scanning.
  4. Click Generate to produce the batch of random hex byte strings.
  5. Click any result to copy it, or copy all strings at once to paste into your code, config file, or test fixture.

Use Cases

  • Generating 32-byte JWT signing secrets to paste into a .env file during local API development
  • Producing colon-separated 16-byte values to mock TLS certificate fingerprints in Postman test scripts
  • Creating 64-byte salts for Argon2 password hashing in a Node.js authentication service
  • Bulk-generating 20 unique 16-byte request IDs to seed distributed tracing fixtures in a Jest test suite
  • Producing 12-byte AES-GCM nonces to populate cipher test vectors in a Go cryptography unit test

Tips

  • Generate 5-10 strings at once when testing, then discard all but one — variety reduces accidental reuse in test fixtures.
  • For bcrypt salts, 16 bytes is sufficient; Argon2id recommends at least 16 bytes but 32 is safer for long-term storage.
  • Colon-separated output can be pasted directly into Wireshark filters or network documentation without reformatting.
  • If your framework expects a base64-encoded secret rather than hex, generate 32 hex bytes then convert: the entropy is the same.
  • Never log or commit generated values — even test tokens become attack vectors if they reach version control or production logs.
  • Pair 12-byte output with AES-GCM nonces; pairing the wrong size nonce with a cipher is a common and silent cryptographic mistake.

FAQ

is the output from this random bytes hex generator safe to use in production

No. This tool runs in the browser using Math.random(), which is not a cryptographically secure PRNG and should never be used for real secrets. For production keys, tokens, and salts use crypto.randomBytes() in Node.js, os.urandom() in Python, or your platform's hardware-backed CSPRNG. This generator is best suited for prototyping, test fixtures, and documentation examples.

how many hex characters does a given byte length produce

Every byte encodes to exactly two hex characters, so the output length in characters is always twice the byte count. Sixteen bytes gives 32 characters, 32 bytes gives 64, and 64 bytes gives 128. If you choose a separator like colon or dash, each separator adds one character between every pair of bytes, making the total string longer.

what byte length should I use for different secrets like api keys or nonces

For API keys and HMAC secrets, 32 bytes (256 bits) is the OWASP-recommended minimum — enough entropy to make brute-force infeasible. Session tokens and CSRF values are fine at 16 bytes (128 bits). AES-GCM nonces should be exactly 12 bytes. When in doubt, 32 bytes covers most modern security requirements.

What is a byte in hexadecimal?

A byte is eight bits, and in hexadecimal it is written as exactly two characters (00 to FF, i.e. 0 to 255 in decimal) — which is why hex is the natural way to display raw bytes compactly. The generator outputs random bytes as hex, so a 16-byte value shows as 32 hex characters, matching how keys, hashes, and binary data are commonly represented in code and config.

How do I generate cryptographically secure random bytes for real?

Use a crypto-grade source: in the browser crypto.getRandomValues(new Uint8Array(n)), and on a server Node's crypto.randomBytes(n) or your language's secure RNG. This particular generator uses Math.random() for quick illustrative output and is not secure — as its other answer notes, never use it for real secrets; reach for the platform crypto APIs whenever the bytes actually protect something.

You might also like

Popular tools from other categories that share themes with this one.

Try these next

More free tools from other corners of the catalog, picked by shared themes.