Is this secure enough for real API keys?

Yes. We use window.crypto.getRandomValues() which is cryptographically secure. A 32-byte hex key has 256 bits of entropy — more than enough for most use cases.

What is token entropy?

Entropy measures how unpredictable a token is. It's calculated as log2(charset_size ^ token_length). Higher entropy = harder to brute-force. 128 bits is considered secure for most applications.

Token & API Key Generator

Generate secure API keys and tokens using crypto.getRandomValues(). Choose hex, base64url, or custom character sets. Shows entropy in bits.

Files never leave your browser

Token Type

Length32 chars

1664128

Use crypto-random

Count:

Entropy: 128 bits (High)Charset: 16 chars

How to use Token & API Key Generator

Generate cryptographically secure random tokens, API keys, secrets, and session IDs of any length in any format — hex, Base64, Base64 URL-safe, alphanumeric, or UUID v4. All generation uses the Web Crypto API (window.crypto.getRandomValues) for security-grade entropy. Essential for creating API keys, CSRF tokens, session secrets, OAuth states, webhook signing secrets, and JWT signing keys.

Select the output format: hex, Base64, Base64URL, alphanumeric, or UUID v4.
Set the byte length (32 bytes = 256 bits is recommended for API keys and secrets).
Click Generate to produce a new token.
Click Copy to copy it to your clipboard for use in .env files or config.
Click Generate Again for a new token without reloading the page.

Your data never leaves your device — 100% private processing.

Choosing the right format and length

Hex encoding represents each byte as 2 hex characters, so 32 bytes → 64 hex characters. Base64 is more compact: 32 bytes → 44 Base64 chars. Base64URL replaces + and / with - and _ for safe use in URLs and HTTP headers without URL encoding. For API keys meant to be typed or read, use alphanumeric (letters + numbers only, no symbols). For JWT signing secrets, use 32–64 random bytes in Base64. For OAuth state parameters, use 16+ bytes in Base64URL. UUID v4 is a 128-bit random value in the standard format (xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx).

Format	32-byte output length	Safe in URLs	Use case
Hex	64 chars	Yes	API keys, hashes, tokens
Base64	44 chars	No (has +/=)	JWT secrets, env vars
Base64URL	43 chars	Yes	OAuth state, URL params
Alphanumeric	~43 chars	Yes	Shareable codes, invites
UUID v4	36 chars	Yes	Record IDs, idempotency keys

Using tokens in .env files and CI/CD

Generated tokens are commonly used as environment variables in .env files, GitHub Actions secrets, and Kubernetes secrets. Always store tokens in environment variables — never hardcode them in source code. For .env files, wrap tokens that contain special characters in double quotes. For GitHub Actions, add the token as a repository or organization secret and reference it as ${{ secrets.MY_TOKEN }}. For Kubernetes, encode the token in Base64 before creating a secret manifest. Rotate tokens regularly, and use short-lived tokens (JWT with short exp claim) where possible over long-lived static secrets.

Glossary

CSRF token: A random value embedded in forms to prevent Cross-Site Request Forgery attacks — must be unpredictable.
JWT secret: A shared signing key used to create and verify JSON Web Tokens — must be at least 256 bits of random entropy.
Base64URL: A URL-safe variant of Base64 encoding that replaces + with - and / with _ to avoid issues in URLs and HTTP headers.
Idempotency key: A unique token sent with API requests to ensure the operation is processed exactly once, even if retried.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use Token & API Key Generator?

Cryptographically random generators for secure use cases
Fully configurable output — length, charset, quantity
Download or copy output in one click
No data logged or stored — 100% private generation

Common use cases

Generate a strong random password for a new account
Create test data with realistic-looking names and emails
Produce random numbers for a classroom lottery
Generate Lorem Ipsum placeholder text for mockups
Create unique UUIDs for software development

Related Generators

Password Generator

Generate strong, secure, random passwords instantly. Uses the Web Crypto API — nothing is sent to any server, so your passwords stay private.

UUID Generator

Generate random UUID v4, timestamp-based UUID v1, and ULID identifiers. Bulk-generate up to 100 at once and copy them instantly — free and private.

PIN Generator

Generate secure random PIN codes online. Choose 4, 6, 8, or custom length. Cryptographically random with options to avoid sequential and repeating digits.

Random Number Generator

Generate random numbers between any range instantly. Choose count, allow duplicates, and use dice shortcuts (d6, d20). Free online random number generator.

Random Picker

Pick a random item from a list online. Enter your options, spin, and get a winner instantly. Pick multiple winners without repeats. Free random choice picker.

List Randomizer / Shuffler

Randomize and shuffle any list online. Enter items, click shuffle, and get a randomly ordered list. Also sort alphabetically or by length.

Explore all Generators.