Random Base64 Secret Generator
Random secrets encoded as base64 or URL-safe base64url.
$ openssl rand -base64 32
Base64 vs base64url
Base64 packs 6 bits into each character, making it ~33% denser than hex: 32 random bytes fit in 43 characters instead of 64. Standard base64 uses + and / plus = padding — characters that break URLs, filenames and some config parsers. base64url (RFC 4648 §5) swaps them for - and _ and drops the padding, which is why it's the default here and the encoding JWTs themselves use.
Where you'd use one
Random base64 strings are the conventional format for many framework secrets: NextAuth/Auth.js AUTH_SECRET, cookie-session keys, Laravel's APP_KEY (base64-prefixed), or any place documentation says openssl rand -base64 32. This page generates the same thing — 16 to 128 bytes from your browser's CSPRNG, encoded in the variant you pick.
Entropy comes from bytes, not characters
A secret's strength is the number of random bytes behind it, not its printed length. 32 bytes carry 256 bits of entropy whether shown as 64 hex characters or 43 base64 characters. Everything is generated locally with crypto.getRandomValues(); nothing is transmitted or stored.
Nothing leaves your browser
- Every value comes from
crypto.getRandomValues()— the CSPRNG built into your browser, neverMath.random(). - Generated secrets are never transmitted, logged or stored: no server-side generation, no cookies, no localStorage.
- Verify it yourself in the network tab: after loading, the page only talks to our self-hosted, cookie-less analytics — which counts page views and which generator type gets copied, never any value.
- Strict Content-Security-Policy; no third-party script origins.