Tech blog and developer tools
A random token is a string of characters generated using a cryptographically secure random number generator (CSPRNG). Tokens serve as temporary credentials, session identifiers, password reset links, email verification codes, and more. Unlike passwords, tokens are meant to be machine-generated and machine-consumed, so they do not need to be memorable.
The key difference between a random token and a simple random number is the source of randomness. Tokens use the operating system's entropy pool (like /dev/urandom on Linux or the Web Crypto API in browsers), which gathers randomness from hardware events like mouse movements, keyboard timing, and disk I/O. This makes them unpredictable even to an attacker who knows the algorithm.
Fun fact: Stripe popularized the convention of using prefixed tokens like "sk_live_" and "pk_test_". This pattern is now used by companies like OpenAI ("sk-"), Twilio ("SK"), and GitHub ("ghp_"). The prefix makes it easy for secret scanners to identify and revoke leaked tokens automatically.
Session IDs are stored server-side and mapped to user data. Tokens like JWTs are self-contained and carry their own data. Session IDs are simpler but require server storage; tokens scale better across distributed systems.
Cross-Site Request Forgery tokens are random tokens embedded in forms to prevent malicious websites from submitting requests on a user's behalf. Every major web framework generates these automatically, from Django to Rails to Laravel.
A 32-character alphanumeric token has about 190 bits of entropy, meaning there are more possible tokens than the number of atoms in the Milky Way. Even 16 characters provides 95 bits, which is still considered secure for most use cases.
GitHub scans every push for accidentally committed tokens from over 200 services. In 2023, they detected and revoked millions of leaked secrets. This is why token prefixes exist and why you should never commit tokens to version control.