This tool generates single-use high-entropy tokens for specific web-security scenarios. Unlike a generic random-string generator, each scenario applies the right conventions automatically.
Scenarios:
- CSRF Token: an opaque token bound to a user session and submitted with state-changing requests (forms, AJAX) to prove the request came from your own page.
- OAuth/OIDC State: an unguessable value sent to the authorization server and validated on the redirect callback, binding the response to this request and preventing login CSRF.
- Session Nonce: a single-use random value tied to a session to prevent replay of a request.
- PKCE Verifier + Challenge: generates a
code_verifier (kept client-side) and derives the code_challenge = base64url(SHA256(verifier)) (sent to the auth server) per RFC 7636, so a leaked authorization code cannot be exchanged without the verifier. PKCE forces base64url encoding and a 32-96 byte verifier length (43-128 base64url chars).
- Custom: a generic opaque high-entropy token for any single-use scenario you define; byte length is user-controlled (8-128).
Options:
- Byte Length: bytes of entropy. Locked to 32 (256 bits) for all preset scenarios; user-editable (8-128) only in Custom.
- Encoding: base64url (URL-safe, the default for web tokens), hex, or base64. Overridden to base64url for PKCE.
- Add expiry timestamp prefix: prepends
base36(expireAtSeconds).token so the server can reject expired tokens statelessly (OWASP-recommended pattern).
- TTL (seconds): validity window used by the timestamp prefix.
- Count: generate 1-50 tokens at once.
Security: randomness comes from Node's crypto.randomBytes(), the cryptographically secure source — never Math.random(). The PKCE challenge uses SHA-256 via crypto.createHash(). This tool generates token material only; it does not store or validate tokens server-side.