Skip to main content
Back to Numbers generators

Numbers

Secure Random Token Generator

Used by developers, writers, and creators worldwide.

A secure random token generator is the fastest way to produce high-entropy strings for API keys, session identifiers, invite links, and test fixtures. Pick from five character sets — lowercase hex, uppercase hex, base36, base62, or numeric — set the exact length your system expects, and generate up to several tokens at once. The dash-separator option groups characters every 4 or 8 positions, turning a raw 32-character string into a readable license key or activation code that humans can actually type without errors. One caveat: this tool runs in the browser and is best suited for mock data, staging environments, and prototyping rather than production secrets.

Loading usage…

Free forever — no account required

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Set the Count field to the number of tokens you need — up to the available maximum.
  2. Set the Length field to match your system's requirement (32 for most API keys, 6 for PIN codes).
  3. Choose a charset from the Format dropdown: hex for crypto contexts, base62 for URLs, numeric for PINs.
  4. Optionally pick a dash separator (every 4 or 8 chars) if the token will be read or typed by humans.
  5. Click Generate, then copy individual tokens or the full list into your project, spreadsheet, or database.

Use Cases

  • Generating 20 base62 invite tokens to seed a SaaS beta launch table in Postgres
  • Producing dash-separated uppercase hex strings formatted as software license keys for QA review
  • Creating 6-digit numeric PINs to mock SMS two-factor authentication flows in Cypress tests
  • Supplying random CSRF token values when testing form submission security in Postman collections
  • Building base36 referral slugs that are case-insensitive and safe for users to type manually

Tips

  • For license keys, use uppercase hex with a dash every 4 characters and a length of 16 — giving the classic XXXX-XXXX-XXXX-XXXX format.
  • Base62 at length 22 gives you the same 128 bits of entropy as 32 hex characters, saving space in URLs and QR codes.
  • Generate 20-30 tokens at once when seeding a test database — far faster than re-clicking for each row.
  • Avoid numeric-only tokens shorter than 8 digits for any web-facing code; a 6-digit PIN has only 1 million combinations and is trivially brute-forced without rate limiting.
  • When copying tokens for a .env file, use no separator and hex or base62 — many config parsers choke on dashes inside variable values.
  • Use base36 over base62 when the token will appear in printed materials or be typed by non-technical users — removing uppercase prevents a/A and 0/O confusion.

FAQ

hex vs base62 tokens — which should I use?

Hex (0–9, a–f) is the standard for crypto output and works directly with libraries that expect SHA hashes or AES keys — a 32-char hex token carries 128 bits of entropy. Base62 (0–9, A–Z, a–z) fits the same entropy into fewer characters and is URL-safe without percent-encoding, making it better for invite links, coupon codes, and short identifiers embedded in URLs.

are the tokens from this generator safe to use in production

No — this tool uses JavaScript's Math.random(), which is a pseudorandom generator not designed for security-critical output. For production session tokens, password reset links, or API keys, generate them server-side with Node.js crypto.randomBytes(), Python's secrets.token_hex(), or an equivalent CSPRNG. Use this generator for mock data, staging seeds, and prototyping.

how long should a token be for an api key or reset link

128 bits of entropy is the accepted security floor — that's 32 hex characters or about 22 base62 characters. Most API keys and session tokens use 32–64 hex characters to stay well above that bar. For low-risk use cases like voucher codes or referral slugs, 12–16 characters is usually enough to resist brute-force guessing.