Is this random generator cryptographically secure?

Yes. It calls crypto.getRandomValues from the Web Crypto API, which browsers back with a cryptographically strong pseudo-random number generator seeded from the operating system entropy pool. It is not Math.random, which is unsuitable for secrets.

How many bytes should I generate for a token?

32 bytes (256 bits) is a common, comfortable default for session IDs, CSRF tokens, and API keys. 16 bytes (128 bits) is the practical minimum for security; use more if you need extra margin.

What is the difference between base64 and base64url?

Standard base64 uses + and / and pads with =, which must be encoded in URLs. Base64url replaces + with - and / with _ and drops the padding, so the value can be dropped straight into a URL or filename.

Are the generated bytes ever sent to a server?

No. Generation and encoding happen entirely in your browser with no network calls. You can disconnect from the internet and the tool still works, so the secrets never leave your device.

Why does the decimal output get so long?

The bytes are interpreted as one big-endian integer, so 32 bytes is a 256-bit number with up to 78 decimal digits. It is computed with BigInt for exact, arbitrary-precision conversion.

Secure Random Bytes / Hex Generator

Generate cryptographically secure random values in your browser

Whether you need a session secret, a CSRF token, an encryption key, or a reproducible-looking test fixture, you want randomness from a cryptographically strong source — not Math.random. This generator uses the Web Crypto API directly, produces between 8 and 512 bytes, and encodes them in whichever format your code expects.

How it works

The tool allocates a Uint8Array of the requested length and fills it with crypto.getRandomValues(), the browser’s CSPRNG. The raw bytes are then encoded:

Hex / HEX — each byte becomes two hex characters (toString(16) padded to 2), lower or upper case.
Base64 / Base64URL — the bytes are turned into a binary string and passed to btoa; the URL-safe variant swaps +// for -/_ and strips = padding.
Decimal — the bytes are read big-endian into a BigInt so even 512-byte values convert exactly with no floating-point loss.

The byte count is clamped to the 8–512 range, and the tool falls back to a clear message if Web Crypto is unavailable.

Tips and security notes

A byte holds 8 bits of entropy, so 16 bytes is 128 bits and 32 bytes is 256 bits — the latter is a solid default for most secrets. Hex doubles the length (32 bytes becomes 64 characters); base64url is more compact (about 43 characters for 32 bytes) and safe to embed in URLs.

Because everything runs locally, you can generate production secrets offline. Still, treat the output like any other credential: do not paste it into logs, chat, or version control, and rotate it on the same schedule you would any key.