Cryptographically Secure API Token & Password Generator

A random token is a cryptographically unpredictable string of characters used to represent a secret, identity, or authorization grant in a system. Common uses include: API keys (authenticate requests to your service), session tokens (identify a logged-in user without exposing their password), CSRF tokens (prevent cross-site request forgery attacks), password reset tokens (single-use links for account recovery), webhook secrets (verify that incoming webhook payloads are from the expected sender), and JWT signing secrets (sign JSON Web Tokens for stateless authentication). The security of these systems depends entirely on the token being unpredictable, which is why our generator uses window.crypto.getRandomValues() instead of Math.random().

Math.random() is a pseudorandom number generator (PRNG), it produces numbers that appear random but follow a deterministic algorithm seeded at startup. In many environments, an attacker who observes enough outputs can predict future values, making Math.random()-generated tokens cryptographically weak and unsafe for security purposes. window.crypto.getRandomValues() is a Cryptographically Secure PRNG (CSPRNG), it draws entropy from the operating system's secure random source and is specifically designed for security use cases where unpredictability is mandatory. Our generator always uses window.crypto.getRandomValues(), falling back to Math.random() only if the Web Crypto API is unavailable (extremely rare in modern browsers).

Token length requirements depend on the use case and the attack model. 32 characters (alphanumeric) provides approximately 190 bits of entropy, secure for most session tokens and CSRF tokens. 64 characters is the practical standard for API keys and webhook secrets providing ~381 bits of entropy, effectively immune to brute-force attacks. 128 characters provides ~762 bits and is appropriate for long-lived secrets, encryption keys, and any token where maximum security is required. As a baseline rule: never use fewer than 32 characters for any security-sensitive token, and always use a CSPRNG like our generator rather than any predictable source.

The right character set depends on where the token will be used. Alphanumeric only (uppercase + lowercase + numbers) is the safest default, it works in URLs, HTTP headers, JSON values, and database fields without escaping. Add symbols for maximum entropy when the token will only appear in controlled environments like config files, environment variables, or server-to-server API calls where special characters don't cause parsing issues. Avoid symbols in tokens that appear in URLs (without encoding), email links, or any context where #, &, ?, or = could be misinterpreted. Our generator defaults to alphanumeric for maximum compatibility, with symbols as an opt-in for maximum entropy.

Yes, the generator's use of window.crypto.getRandomValues() makes it appropriate for generating: API keys (use 32–64 alphanumeric characters), JWT signing secrets (use 64+ characters; symbols safe here as the secret never leaves the server), webhook secrets (32–64 alphanumeric for broad compatibility), database encryption keys (use 64–128 characters; symbols acceptable), session tokens (32–64 alphanumeric), and password reset tokens (32 alphanumeric characters, single-use). The one caveat: for production cryptographic key material (AES keys, RSA private keys), use your platform's dedicated key generation tools (OpenSSL, Node.js crypto.generateKey()) rather than a character-based token generator.