Bearer token generator FREE

Cryptographically secure random bearer tokens for OAuth 2.0, API authentication, and access control. Choose your encoding (hex, Base64, Base64-URL or alphanumeric) and entropy in bytes — the page handles the rest. RFC 6750 compatible.

Bearer token generator

Settings

Recommended: 32 bytes (256 bits) of entropy with Base64-URL encoding — the de-facto OAuth 2.0 default. URL-safe, fits in HTTP headers, no padding to escape. 

  






  
What's a bearer token?

  
An opaque string that proves the holder is authorized — no further proof of identity needed (hence "bearer"). Defined in RFC 6750. Sent in the HTTP Authorization header:

  
Authorization: Bearer eyJhbGciOiJIUzI1NiIs…

  
Bearer tokens are the simplest auth mechanism — but anyone who has the token has access. Always send over HTTPS, rotate often, and never log them.


  
Encoding choices

  
    
    
  • Base64-URL (default) — URL-safe (no +, /, =). The OAuth 2.0 spec recommends this. ≈4 chars per 3 bytes.
    • 
    
  • Hex — easiest to read, exact 2-char-per-byte ratio. Twice as long as Base64 for the same entropy.
    • 
    
  • Base64 (standard) — slightly shorter, but contains + / = which need URL-encoding in query strings.
    • 
    
  • Alphanumeric — A–Z, a–z, 0–9 only. ~5.95 bits per char vs. 6 bits for Base64. Safe everywhere; slightly longer for the same entropy.
    • 
  


  
How long should a token be?

  
32 bytes (256 bits) is the modern minimum for production. 16 bytes is acceptable for short-lived tokens (minutes-to-hours). Don't go below 128 bits — that's the cryptographic floor.


  
Related tools

    JWT tokenSigned claims
    OAuth tokensAccess + refresh
    API keyWith prefix
    Webhook secretHMAC verify
  







Copied!