Random Token Generator
Generate unguessable random tokens for sessions, password reset links, email verification and recovery flows.
Tokens are generated locally with the Web Crypto API and never reach our servers.
No value yet. Press Regenerate.
This is an estimate based on random generation, not on whether a leaked password has been reused.
Generated locally in your browser. Nothing is sent to our servers, logged or stored.
Where secure tokens are used
Many flows depend on a value that an attacker cannot predict: a session identifier, a one time password reset link, an email verification code or a recovery token. If any of these is guessable, accounts are at risk.
Generate tokens from a CSPRNG, make the sensitive ones single use and time limited, and store them hashed. A short lifetime limits the damage if a token ever leaks.
Best practices
- Use at least 16 bytes for short lived tokens and 32 bytes for anything sensitive.
- Make reset and verification tokens single use and give them a short expiry.
- Store tokens hashed on the server, never in plain text.
More secret generators
Every generator below is the same local, Web Crypto powered tool, preset for a different job. Nothing you generate leaves your browser.
- Secure Password GeneratorPasswords, secrets, tokens and PINs in one place.
- OpenSSL Rand Generatoropenssl rand style base64 and hex secrets.
- JWT Secret GeneratorStrong HS256 signing secrets for JWT.
- API Key GeneratorOpaque, high entropy keys for API auth.
- Passphrase GeneratorMemorable multi word passphrases.
- PIN GeneratorQuick numeric PIN codes.
Frequently asked questions
How long should a session token be?
At least 16 bytes (128 bits) of entropy, and 32 bytes for sensitive sessions. This tool defaults to a 32 byte token encoded as base64url.
Should reset tokens expire?
Yes. Password reset and verification tokens should be single use and expire quickly, often within an hour, so a leaked link cannot be replayed later.
Can I use a UUID as a token?
A v4 UUID is random but only carries about 122 bits and is meant to identify, not to authenticate. For security tokens prefer 32 random bytes from a CSPRNG.
Are these tokens stored anywhere?
Not by us. They are generated in your browser and never transmitted. Store them yourself, hashed, with an expiry on your server.