EncryptCodecencryptcodec
Tools/Random Secret Generator

Random Secret Generator

Generate cryptographically secure secrets using crypto.getRandomValues(). Ideal for API keys, session tokens, signing secrets, and encryption keys.

All processing happens in your browser — nothing is sent to our servers
32 bytes · hex · ~256 bits of entropy
4bf193724b6e6f841560e83ebfbbed9924c96e21893b3177bbf062dc678de9da

Choosing the Right Length

32 bytes (256-bit) is the standard for most secrets — JWT signing keys, API tokens, session secrets. 16 bytes is acceptable for short-lived tokens or IDs. 64+ bytes for high-security signing keys or when storing long-lived secrets. Always use crypto.getRandomValues() — never Math.random().

How it works
Cryptographically Secure Random Generation
01CSPRNG

crypto.getRandomValues() — calls the OS kernel's CSPRNG (/dev/urandom on Linux, CryptGenRandom on Windows)

02Random bytes

A Uint8Array of the requested size filled with unpredictable entropy from the OS

03Alphabet mapping

Each byte modulo-mapped to the target alphabet — hex (16), Base64 (64), or alphanumeric (62 chars)

04Bias removal

Rejection sampling discards values that would bias the distribution — ensures uniform character distribution

05Output

Uniformly distributed, unguessable string — suitable for API keys, tokens, and session IDs

Spec: W3C Web Crypto API §10.1 (getRandomValues), NIST SP 800-90A (DRBG)

Math.random() is not cryptographically secure and must never be used for secrets. crypto.getRandomValues() is the correct API.

Frequently Asked Questions

Keep learning

API Key Security Guide
How to store and rotate API keys
Guide
API Token Storage Guide
Database token security
Guide