Numbers

Random Bytes Hex Generator

A random bytes hex generator is the fastest way to produce hex-encoded byte strings for tokens, keys, salts, and nonces without writing a single line of code. Each generated string mirrors what you'd get from Node.js crypto.randomBytes() or Python's os.urandom(), expressed as a compact hexadecimal sequence. Because hex encoding maps every byte to exactly two characters, a 16-byte output gives you a 32-character string representing 128 bits of data — enough entropy for most session identifiers and symmetric encryption keys. Choosing the right byte length matters. Sixteen bytes works for session tokens and CSRF protection values. Thirty-two bytes is the go-to for API secrets, HMAC keys, and JWT signing secrets where 256-bit strength is expected. Sixty-four bytes suits key derivation functions that require a long salt, such as bcrypt or Argon2 inputs. The separator option controls how individual bytes appear in the output. No separator gives you a dense, copy-paste-ready string. Colon-separated output matches the MAC address and TLS certificate fingerprint convention, making it readable for documentation or logging. Space-separated bytes are easier to scan when verifying values by eye during debugging. This generator is built for developers, security engineers, and anyone who needs hex byte strings on demand for prototyping, testing, or quick key generation. Set your byte length, choose how many strings you need, pick a separator style, and copy the results directly into your project or test suite.

How to Use

  1. Set the 'Number of bytes' field to your target length — 16 for 128-bit tokens, 32 for 256-bit secrets.
  2. Set 'How many' to the number of unique hex strings you need in a single batch.
  3. Choose a separator: none for raw code-ready strings, colon for MAC-style readability, or space for easy visual scanning.
  4. Click Generate to produce the batch of random hex byte strings.
  5. Click any result to copy it, or copy all strings at once to paste into your code, config file, or test fixture.

Use Cases

  • Generating 32-byte API keys for new backend service credentials
  • Producing 16-byte session tokens for web authentication flows
  • Creating unique nonces for OAuth 1.0a or CSRF protection headers
  • Generating random salts for bcrypt or Argon2 password hashing
  • Producing AES-128 or AES-256 test key material for cipher testing
  • Creating MAC address-style values for network simulation or mocking
  • Bulk-generating unique request IDs for distributed tracing setups
  • Building seed values for deterministic pseudorandom number generator tests

Tips

  • Generate 5-10 strings at once when testing, then discard all but one — variety reduces accidental reuse in test fixtures.
  • For bcrypt salts, 16 bytes is sufficient; Argon2id recommends at least 16 bytes but 32 is safer for long-term storage.
  • Colon-separated output can be pasted directly into Wireshark filters or network documentation without reformatting.
  • If your framework expects a base64-encoded secret rather than hex, generate 32 hex bytes then convert: the entropy is the same.
  • Never log or commit generated values — even test tokens become attack vectors if they reach version control or production logs.
  • Pair 12-byte output with AES-GCM nonces; pairing the wrong size nonce with a cipher is a common and silent cryptographic mistake.

FAQ

is this random bytes hex generator cryptographically secure?

No. This tool uses Math.random(), which is not cryptographically secure and should never be used for production secrets. For real keys and tokens, use crypto.randomBytes() in Node.js, os.urandom() in Python, or a hardware-backed CSPRNG in your environment. Use this generator for prototyping, test fixtures, and learning purposes only.

how many hex characters does 16 bytes produce?

Each byte encodes to exactly two hexadecimal characters, so 16 bytes produces a 32-character string. Thirty-two bytes gives 64 characters, and 64 bytes gives 128 characters. If you add a separator, the total length increases by the number of separators inserted between byte pairs.

how many bits is 16 bytes in hex?

Sixteen bytes equals 128 bits. This is the standard entropy size for AES-128 encryption keys, most session identifiers, and UUID v4 values. For 256-bit strength — required for AES-256 and many modern secrets — use 32 bytes.

what byte length should I use for an API key?

Thirty-two bytes (256 bits) is the widely accepted minimum for API keys and secret tokens. It provides enough entropy to make brute-force guessing infeasible. Some systems use 24 bytes as a compromise, but 32 is safer and remains the common recommendation in security guidelines like OWASP.

what is the difference between no separator and colon separator output?

No separator produces a continuous hex string like 'a3f1c2...', which is easiest to copy into code as a raw value. Colon-separated output looks like 'a3:f1:c2:...', matching the format used in MAC addresses and TLS fingerprints. Use colon format when the value needs to be human-readable in logs or documentation.

how do I convert a hex string back to bytes in code?

In Node.js use Buffer.from(hexString, 'hex'). In Python use bytes.fromhex(hex_string). In Go use hex.DecodeString(). These functions reverse the encoding and return the original byte array, which is what cryptographic functions typically expect as input.

what is a nonce and how many bytes should it be?

A nonce is a number used once — a random value included in a cryptographic operation to prevent replay attacks. AES-GCM requires a 12-byte (96-bit) nonce. OAuth nonces and CSRF tokens typically use 16 bytes. The key rule is that nonces must never repeat within the same key's lifetime.

can I use these hex strings as UUIDs?

Not directly. A UUID v4 is 128 bits with a specific hyphenated format and fixed version bits. A raw 16-byte hex string has the right amount of entropy but lacks the formatting. You can convert it manually by inserting hyphens at the right positions, but it's easier to use a dedicated UUID generator if UUID format compliance matters.