Logo

MonoCalc

/

Secure Token Generator

Programming

Entropy

128 bits

Strength

Strong

Char Count

0

Type

API Key / Secret Token

Generated Token

About This Tool

🔐 Secure Token Generator – Cryptographically Safe Keys & Secrets

The Secure Token Generator is a browser-based tool for generating cryptographically secure random tokens, API keys, passwords, UUIDs, nonces, and short unique IDs. All randomness is sourced from window.crypto.getRandomValues() — the browser's native Web Cryptography API — ensuring your tokens are unpredictable and suitable for security-sensitive applications.

Unlike tokens produced by Math.random(), which is a pseudorandom number generator unsuitable for security, this tool produces tokens that are cryptographically indistinguishable from truly random data.

🛡️ Supported Token Modes

Choose from seven generation modes, each tailored to a specific use case:

  • API Key / Secret Token — A hex- or base64-encoded random byte sequence, ideal for API authentication, OAuth client secrets, and service credentials.
  • UUID v4 — A standards-compliant RFC 4122 random UUID with 122 bits of entropy, used as database primary keys, correlation IDs, and resource identifiers.
  • UUID v7 — A time-ordered UUID per RFC 9562, embedding a 48-bit Unix timestamp in the high bits. Ideal for database keys that must sort chronologically.
  • Secure Password — A configurable character-set password with upper/lowercase, digits, and symbols, with an option to exclude ambiguous characters (0/O, 1/l/I) for better readability.
  • Base64 URL-safe Token — A compact, URL-embeddable token suitable for cookies, OAuth state parameters, and email verification links.
  • Nonce / Salt / IV — Fixed-size random values for cryptographic operations: AES initialization vectors (16 bytes), HMAC salts, and challenge-response nonces.
  • NanoID / Short ID — URL-friendly unique identifiers using a URL-safe alphabet (A–Z, a–z, 0–9, -, _), similar to the popular nanoid library.

📐 Understanding Entropy

Entropy measures the unpredictability of a token in bits. The formula for character-based tokens is:

Entropy (bits) = log₂(alphabet size) × token length

For byte-based tokens (API keys, nonces), each byte contributes 8 bits of entropy. Common reference points:

  • UUID v4: 122 bits of randomness (6 bits are fixed for version and variant)
  • 32-byte hex token: 256 bits — rated Excellent
  • 20-char alphanumeric+symbol password: ~131 bits — rated Strong
Strength thresholds
Weak:<64 bits  | Good:64–127 bits  | Strong:128–255 bits  | Excellent: ≥256 bits

⚙️ Output Encodings Explained

The same random bytes can be represented in several encodings, each with different trade-offs:

  • Hex — Uses characters 0–9 and a–f. Output is exactly 2× the byte count. Easy to read and compare; safe in all contexts.
  • Base64 — Uses A–Z, a–z, 0–9, +, /. Approximately 1.33× the byte count. Compact but contains characters that need escaping in URLs.
  • Base64 URL-safe — Replaces + with - and / with _, omits padding. Safe in URL query strings, HTTP headers, and cookies without encoding.
  • Binary — Raw bit representation as space-separated 8-bit groups. Useful for educational purposes and low-level debugging.

🔑 Common Use Cases & Recommended Settings

Here are recommended configurations for typical developer scenarios:

  • API Key: Mode = API Key, 32 bytes, Hex or Base64 URL-safe → 256 bits entropy (Excellent)
  • Session Token / CSRF Token: Mode = API Key, 16–32 bytes, Base64 URL-safe → 128–256 bits
  • Database Primary Key: Mode = UUID v4 (random) or UUID v7 (time-sortable)
  • Human-readable Password: Mode = Secure Password, 20 chars, Alphanumeric+Symbols, Exclude Ambiguous → ~131 bits
  • AES-256 IV: Mode = Nonce/IV, 16 bytes, Hex
  • Short URL ID: Mode = NanoID, 21 characters → ~126 bits
  • Webhook Secret: Mode = API Key, 32 bytes, Hex, Prefix = whsec_

🔒 Privacy & Security

This tool operates 100% client-side. No tokens, inputs, or configuration data are ever transmitted to any server. Your generated secrets stay on your device. The tool does not use cookies, analytics, or any form of persistent storage for your generated values.

Always store generated secrets securely — never commit them to version control, embed them in client-side JavaScript, or log them in plaintext. For server-side storage, use a secrets manager or store a hashed version (e.g., HMAC-SHA256) of the token.

Frequently Asked Questions

Is the Secure Token Generator free?

Yes, Secure Token Generator is totally free :)

Can I use the Secure Token Generator offline?

Yes, you can install the webapp as PWA.

Is it safe to use Secure Token Generator?

Yes, any data related to Secure Token Generator only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does this Secure Token Generator work?

This tool uses the browser's native Web Cryptography API (window.crypto.getRandomValues()) to generate cryptographically secure random tokens. All generation happens entirely in your browser — no data is sent to any server.

What is the difference between hex, base64, and base64 URL-safe encodings?

Hex encoding uses characters 0–9 and a–f, making tokens 2× longer than the raw byte count. Base64 is more compact (~1.33× the byte size) and uses A–Z, a–z, 0–9, +, and /. Base64 URL-safe replaces + with - and / with _ to make tokens safe to embed in URLs without escaping.

What is entropy and why does it matter for token security?

Entropy measures the unpredictability of a token in bits. Higher entropy means it's harder to guess by brute force. 128-bit entropy is considered strong for most applications; 256-bit is excellent and used for long-lived secrets like API keys.

Is this tool safe for generating production API keys and secrets?

Yes — the tool uses cryptographically secure randomness (not Math.random()) and all processing is local to your browser. For production systems, also ensure you store tokens securely (e.g., hashed in a database) and never expose them in client-side code.

What is a UUID v7 and how is it different from UUID v4?

UUID v4 is fully random (122 bits of entropy). UUID v7 is time-ordered — it embeds the current Unix timestamp in the first 48 bits, making it monotonically sortable by creation time. This is useful for database primary keys that need both uniqueness and temporal ordering.

Can I generate tokens in bulk and download them?

Yes. Set the Quantity field to any value between 1 and 100 to generate multiple tokens at once. Use the Download button to save them as a .txt file, or Copy All to copy the batch to your clipboard.