What makes this nonce generator cryptographically secure?

The tool uses window.crypto.getRandomValues(), the browser's CSPRNG (cryptographically secure pseudo-random number generator). It draws entropy from OS-level sources and is the same API used by TLS, WebAuthn, and other security-critical browser features. Math.random() is not cryptographically secure and should never be used for nonces.

How many bytes should a nonce be?

For most web security uses (CSRF tokens, CSP nonces, session IDs) 16 bytes (128 bits) of entropy is the industry standard. For cryptographic IVs, the required length depends on the algorithm (e.g. 12 bytes for AES-GCM). 8 bytes is the minimum here; 32 bytes is a safe default for general use.

What is the difference between base64 and base64url?

Standard base64 uses + and / characters that must be percent-encoded in URLs and HTTP headers. Base64url replaces + with - and / with _, making the output safe to embed directly in URLs, JWTs, and HTTP headers without additional encoding.

Does this tool store or transmit the nonces I generate?

No. Generation happens entirely in your browser via the WebCrypto API. No data of any kind is sent to a server. You can disconnect from the internet after the page loads and the tool will continue to work.

Can I use the alphanumeric output as a secure token?

Yes. The alphanumeric output is derived from the same CSPRNG bytes — each byte maps to one character in the 62-character set (A–Z, a–z, 0–9). The entropy per character is log2(62) ≈ 5.95 bits, so a 32-byte alphanumeric output carries roughly 190 bits of entropy, well above any brute-force threshold.

What is a nonce and how is it different from a random key?

A nonce (number used once) is a value that must not repeat within a given security context. Unlike a long-lived secret key, a nonce is typically short-lived and public — its security property is uniqueness, not secrecy. Examples include AES-GCM IVs, CSRF tokens, and CSP script nonces.

Cryptographic Nonce Generator

Name: Cryptographic Nonce Generator
Availability: InStock
Author: Nham Vu

Generate a cryptographically secure nonce in hex, base64, or alphanumeric format using your browser's WebCrypto API.

Configuration

Byte length: 16

8 bytes 128 bytes

Output format

Hex Base64 Base64url Alphanumeric

Batch count: 1

1 10

Output

—

Click Generate to produce a nonce.

Source

WebCrypto API

window.crypto.getRandomValues()

Entropy

—

bits of randomness

Output chars

—

characters per nonce

Copied!

Summary

Generate a cryptographically secure nonce in hex, base64, or alphanumeric format using your browser's WebCrypto API.

How it works

Set the desired byte length using the slider or number input (8–128 bytes).
Choose an output format: hex, base64, base64url, or alphanumeric.
Click "Generate" or use auto-generate to produce a new nonce immediately.
Copy the nonce with one click — a confirmation toast confirms the copy.
Use the batch output to generate up to 10 nonces at once for bulk needs.

Use cases

Generating CSRF tokens for web form submissions.
Creating session IDs and anti-replay tokens for OAuth and OIDC flows.
Producing Content Security Policy (CSP) nonces for inline scripts.
Generating initialization vectors (IVs) for symmetric encryption.
Creating unique salts before passing to a key-derivation function.
Producing one-time tokens for password reset or email verification links.
Seeding test fixtures with unpredictable values during development.
Generating API idempotency keys to prevent duplicate requests.

Frequently Asked Questions

Last updated: 2026-07-01 · Reviewed by Nham Vu