Token Maker

The Token Maker creates random tokens you can use as API keys, session identifiers, password reset codes, CSRF tokens, or anywhere you need an unguessable string. Every token is generated with crypto.getRandomValues — the browser's secure random source — so the entropy is production-grade. Pick the character set (alphanumeric, hex, base64-url), set the length, optionally add a prefix like 'tk_' or 'sess_', and generate one token or up to 50 at once for bulk seeding.

Built by Bob Article by Lace QA by Ben Shipped May 9, 2026

How to use

1
Choose a token length with the slider. 32 characters is a sensible default; 16 is short but acceptable; 64+ is overkill for most uses but doesn't hurt.
2
Pick a character set. Alphanumeric is the most common. Hex is shorter alphabet but easier to read in URLs. Base64-url is what JWTs and OAuth tokens use. Numeric is for numeric-only codes (e.g. SMS verification).
3
Optional prefix: add a vendor or category prefix like 'sk_live_', 'pk_', 'tk_'. Stripe, GitHub, and most modern APIs use prefixed tokens because the prefix tells you what kind of token it is at a glance.
4
Set the quantity if you need multiple at once (good for seeding databases or generating an initial pool).
5
Tap Generate. Each token gets its own copy button, plus Copy all for the whole batch.

🔑 Password Generator 🆔 UUID Generator 🔐 SHA-256 Generator 🔤 Base64 Encoder/Decoder

Frequently asked questions

Is this actually secure?

Yes. Every token uses crypto.getRandomValues(), which is the W3C standard cryptographically secure random source built into every modern browser. It's the same entropy source recommended by OWASP for generating session IDs, password reset tokens, and API keys.

What length should I use?

For session tokens or API keys: 32 characters of alphanumeric (~190 bits of entropy) is more than enough — the universe will end before someone brute-forces it. For shorter, human-typeable codes (SMS verification, magic links): 8-12 numeric or hex is fine. The longer the token, the more entropy, but past 32 chars you're not gaining real security.

Which character set should I pick?

Alphanumeric is the universal default. Hex is a good pick for URLs because it doesn't need encoding. Base64-url is what OAuth and JWT use; pick it if you need wide character density (more entropy per character). Numeric is only for human-typed codes (don't use it for API keys — too few characters per length).

What's the prefix for?

A token prefix like 'tk_', 'sk_live_', or 'pk_' tells anyone who finds the token (in a log, in source control, etc.) what kind of secret it is. Stripe popularized this — 'sk_' = secret key, 'pk_' = publishable key, '_live_' / '_test_' = environment. It's a small touch that prevents a lot of confusion in incident response.

Can I generate JWT tokens with this?

Not exactly. JWT (JSON Web Token) is a structured format with a header, payload, and signature joined by dots. This tool generates the random secret you'd USE inside a JWT (for HMAC signing) or the unguessable JTI (token ID) field. To actually sign a JWT you need a JWT library and your secret.

Are these tokens unique?

Within a single batch, yes — duplicates at 32 characters of alphanumeric are statistically impossible (collision probability is roughly 1 in 10^57 per pair). Across separate generations, the same applies as long as you keep the length above ~16 chars.

Is my data saved or sent anywhere?

No. Every token is generated in your browser and shown only to you. Nothing is sent to a server, logged, or stored. The crypto.getRandomValues entropy comes from your operating system's CSPRNG, never leaves the browser.

What's the difference between this and the Password Generator?

Password Generator is tuned for human-typed passwords — character variety, strength meter, on/off toggles for symbols (which break URLs and shells). Token Maker is tuned for machine-readable tokens — fixed character classes, prefix support, bulk generation. Use Password Generator for things humans type; use Token Maker for things programs read.

Ratings & Reviews

Rate this tool

Loading reviews…

What a Token Maker Is, In One Paragraph

A token is an unguessable string a system uses to identify something — an API request, a session, a one-click magic link, a password reset. Token Maker generates those strings with cryptographically secure entropy: every character is drawn from crypto.getRandomValues, the same source recommended by OWASP for session IDs. You pick the length, the character set, and an optional vendor-style prefix; the tool produces one token or a batch of fifty.

It's not a replacement for the Password Generator (which is tuned for human-typed passwords with strength meters and visibility toggles). It's a replacement for opening a Node REPL and typing require('crypto').randomBytes(32).toString('hex').

How the Microapp Token Maker Works

Drag the slider to set the length (8 to 128 characters). Pick a character set — alphanumeric is the universal default, hex for URL-friendly strings, base64-url for what JWTs and OAuth tokens use, numeric for SMS-style verification codes, uppercase-hex when you need machine-readable HEX. Add an optional prefix like tk_, sk_live_, pk_ — Stripe popularized this; modern APIs use it because the prefix tells you what kind of token it is at a glance. Set the quantity if you need to seed multiple tokens at once. Click Generate; copy individual tokens or copy the whole batch.

Every byte of randomness comes from crypto.getRandomValues. There's no Math.random anywhere in the path — that one would be predictable enough to brute-force in seconds. Nothing leaves your browser; the tokens you see are the only copy that exists.

Worked example. You're seeding test data for a payments integration. Generate 20 tokens with prefix sk_test_, length 24, alphanumeric. Result: sk_test_aB8cD9eF1gH2iJ3kL4mN5oP6 ×20. Drop them into your fixtures table; each one is collision-resistant for the lifetime of the universe.

What Token Length Actually Means

Token security isn't about the length — it's about the entropy. A 32-character alphanumeric token has 62³² possible values, which is roughly 10⁵⁷. To brute-force one, an attacker would need to check more tokens than there are atoms in the observable universe. That's "longer than the heat-death of the universe" secure.

For most uses, 32 alphanumeric characters is the sweet spot: long enough to be unguessable, short enough to log without filling the line, easy to copy by triple-click. Going to 64 doesn't add real security — it adds storage and visual clutter. Going below 16 starts to be brute-forceable for high-value targets.

Which Character Set To Pick

Character set	Best for	Why
Alphanumeric	API keys, session IDs	Universal default — works everywhere, no escaping needed
Hex (lowercase)	URLs, file names	URL-safe, no case confusion
Base64-url	JWTs, OAuth tokens	Wider alphabet = more entropy per character
Numeric	SMS verification codes	Easy to type on a numeric keypad
Uppercase hex	Machine logs, database IDs	Readable in monospace; standard for many systems

What the Prefix Is For

A token prefix like tk_, sk_live_, or ghp_ tells anyone who finds the token in a log, in source control, or in a Slack message what kind of secret it is. Stripe started this practice — sk_ means secret key, pk_ means publishable, _live_ versus _test_ tells you the environment. GitHub adopted it (ghp_, gho_, ghs_). Slack does it (xoxb-, xoxp-).

It's a small touch that prevents enormous incident-response confusion: when a junior engineer accidentally commits a token to a public repo, the prefix tells the security team within seconds whether they need to rotate a production payment key or just a sandbox API token. Worth the four extra characters.

Common Pitfalls

Using Math.random. Tempting because it's two characters shorter to type. Catastrophic because Math.random is a deterministic PRNG seeded from system state — given enough samples, an attacker can predict the next value. Never generate tokens with Math.random. The Token Maker uses crypto.getRandomValues exclusively for this reason.

Storing tokens in plaintext. Tokens act like passwords — they grant access. Store them hashed (bcrypt, Argon2) on the server, send them to the client once at creation, and let the client store the value. If your database is breached, hashed tokens are useless to the attacker.

No expiration. Tokens that never expire become permanent risk. Always set an expiration (exp claim for JWTs, a TTL on the database row otherwise) and force re-issue periodically.

Reusing the same secret across environments. Production tokens should be different from staging which should be different from development. The prefix convention helps enforce this — if your dev environment accidentally generates a sk_live_ token, that's a glaring red flag.

Related Tools

For human-typed passwords with a strength meter, use the Password Generator. For unique IDs (UUIDs) used as primary keys in databases, the UUID Generator is the right choice. To hash a token before storing it, the SHA-256 Generator covers most use cases. For one-time codes (TOTP / 2FA), see the OTP Generator. For structured signed tokens with a payload (JWTs), use the JWT Token Generator.

Token Maker

How to use

Related tools

Frequently asked questions

Ratings & Reviews

Rate this tool

What a Token Maker Is, In One Paragraph

How the Microapp Token Maker Works

What Token Length Actually Means

Which Character Set To Pick

What the Prefix Is For

Common Pitfalls

Related Tools