Secure Token Generator
Generate random API keys, secrets and tokens — created in your browser, never sent anywhere.
Frequently Asked Questions
What can I use these tokens for?
Anything that needs an unpredictable value: API keys, application secrets, session identifiers, CSRF tokens, password-reset links, webhook signing keys, or one-off invite codes.
How secure are the tokens?
They are produced with the browser's cryptographically secure random generator (the Web Crypto API) and characters are chosen without modulo bias, so every value is unpredictable and uniformly distributed.
Which format should I pick?
Hex is universally safe and case-insensitive. Base64 is more compact. Base64URL is Base64 that is safe to drop straight into URLs and filenames (no + / or = characters). Alphanumeric avoids symbols entirely for maximum compatibility.
How long should a token be?
For secrets and API keys, aim for at least 128 bits of entropy — the tool shows the estimated entropy as you change the length, so you can target 128 bits or more.
Is anything sent to a server?
No. Every token is generated locally in your browser and never leaves your device — it is not uploaded, logged, or stored.
Can I generate a new token without reloading?
Yes. Press Regenerate, or change the length or format, and a fresh token is produced instantly.