Skip to main content

Nonce Generator

Generate cryptographically-random nonces (numbers used once) for CSP headers, OAuth/OIDC state parameters, CSRF tokens, session IDs and API idempotency keys — in hex, Base64, Base64url, alphanumeric or decimal-array format. Created in your browser with a CSPRNG and never transmitted.

Input

Number of random bytes for Hex/Base64/Base64url/Decimal array (16 bytes = 128 bits is the CSP-recommended minimum); number of characters for Alphanumeric.

Output

Generated nonce(s)
 
Usage examples (first nonce)
 

Common places a nonce is used — built from the first generated value above.

Was this helpful?

Guides

Generate a cryptographically-random nonce — a "number used once" — for a Content Security Policy header, an OAuth/OIDC state parameter, a CSRF token, a session identifier, or an API idempotency key. Built in your browser with a cryptographic random number generator and never transmitted.

How to use it

  1. Drag the nonce length slider. It sets the number of random bytes generated (16 bytes / 128 bits is the CSP-recommended minimum) — or the number of characters, if you pick the Alphanumeric format.
  2. Choose an output format: Hex, Base64, Base64url (safe in URLs and cookies without extra encoding), Alphanumeric, or a decimal byte array.
  3. Set how many nonces to generate at once, from 1 to 100.
  4. Click Generate nonce. Copy or download the list, and check the usage-examples block for the exact header/tag/cookie syntax built from the first value.

Frequently asked questions

What is a nonce?

A nonce is a random value meant to be used exactly once, so it can't be predicted or replayed. Its security comes entirely from unpredictability: reuse a nonce, or generate it with a weak random source, and whatever it's protecting — a script's execution, a login flow, a form submission — becomes forgeable.

Is this the same as WordPress's wp_nonce()?

No. Despite the shared name, a WordPress nonce is an HMAC computed from a user ID, an action name and a time window — deterministic and verifiable without server-side storage. This tool generates cryptographically random bytes with no relationship to any user or action, the kind used in CSP headers, OAuth flows and session tokens. If you need a WordPress action nonce, use wp_create_nonce() in PHP instead.

What length should I use?

16 bytes (128 bits) is the practical minimum for a CSP nonce or CSRF token. 32 bytes (256 bits) is a common choice for session identifiers and OAuth state parameters, where you want headroom against very high-volume guessing. Going much higher rarely buys anything — 128 bits already puts brute force firmly in "longer than the age of the universe" territory.

Which format should I pick?

Base64url is usually the most convenient: it's compact, and safe to drop directly into a URL query string, an HTTP header, or a cookie value without percent-encoding. Hex is the most universally compatible (letters and digits only, case-insensitive-safe). Alphanumeric suits contexts like filenames or path segments where even - and _ are unwelcome. Decimal array is mainly useful for feeding raw byte values into another program.

How random are these nonces?

Every byte comes from the platform's CSPRNG (crypto.getRandomValues in the browser, Node's crypto module via the same code path on the server) — never Math.random(), which is fast but predictable and unfit for anything security-related. The alphanumeric format uses rejection sampling so every character of the 62-character alphabet is exactly equally likely, with no bias toward any subset.

Can I reuse a nonce across requests?

No — that defeats the purpose. Generate a fresh nonce for every request, page load, or session. If you find yourself wanting to reuse one, you likely want a stable identifier instead (a UUID, an API key), not a nonce.

Privacy

Nonces are generated entirely on your device. Nothing is sent to a server, nothing is logged, and nothing is stored. Generated values are excluded from shareable links by design: a share link carries your settings only, never the generated nonce.

noncerandomcsprngcspcontent security policyoauthcsrfsecuritygenerator

Love the tools? Lose the ads.

One payment clears every ad from your account, for good. No subscription, no tracking.