Generate cryptographically-secure random Base64 strings — perfect for session tokens, CSRF tokens, encryption keys, or test data. Uses window.crypto.getRandomValues, so the bytes are truly random and never sent anywhere.
16 bytes = 128-bit token (typical session/CSRF). 24 bytes = 192-bit. 32 bytes = 256-bit (AES-256 key, NaCl secret-key). 64 bytes = 512-bit (HMAC-SHA512 key). Encoded length is roughly ceil(bytes * 4 / 3).
The tool uses window.crypto.getRandomValues, the browser's cryptographically secure random number generator. It is suitable for session tokens, CSRF tokens, encryption keys, salts, and any other security-sensitive use. The fallback (Math.random) is only used in very old browsers and is not cryptographically secure.
16 bytes (128 bits) is the typical minimum for session and CSRF tokens. 24 bytes (192 bits) gives extra margin. 32 bytes (256 bits) is appropriate for AES-256 keys and modern cryptographic secrets. 64 bytes (512 bits) is overkill for most cases but suitable for HMAC-SHA512 keys.
Standard Base64 uses + and / characters, which have special meaning in URLs (and require percent-encoding). URL-safe Base64 (RFC 4648 §5) substitutes - and _ so the encoded string can be used directly in URLs, filenames, and JSON Web Tokens. The "no padding" variant drops the trailing = signs.
No. They are generated in your browser and exist only on this page. We do not transmit them, log them, or store them. Refresh the page and they are gone.