Nonce Generator

GenTools/Nonce Generator

Country Tools:

Developer

Generate cryptographically secure random nonces for CSP headers, CSRF tokens, OAuth flows, and other security applications.

Options

Length (bytes): 32

8128

Format

Count

What is a Nonce?

A nonce (number used once) is a cryptographically random value generated for single-use in security protocols. Unlike predictable identifiers or sequential numbers, nonces are produced using a cryptographically secure pseudorandom number generator (CSPRNG), making them impossible to predict or reproduce. This tool uses the browser's crypto.getRandomValues() API to generate nonces with full entropy.

Nonces are foundational to modern web security. Every time your browser loads a page with a strict Content Security Policy, or your server validates a webhook signature, or an OAuth flow verifies state — a nonce is involved. Generating high-quality random nonces is critical because weak or predictable values directly undermine the security they are meant to provide.

Common Use Cases for Nonces

CSP Nonces

Add nonce-YOUR_VALUE to your Content-Security-Policy header to whitelist specific inline scripts and styles without using unsafe-inline.

CSRF Tokens

Embed a random nonce in HTML forms and validate it server-side to prevent cross-site request forgery attacks on state-changing operations.

OAuth State Parameter

Generate a unique state value for OAuth 2.0 authorization requests to prevent CSRF and authorization code injection attacks during the redirect flow.

API Idempotency Keys

Attach a unique nonce to API requests (e.g., Stripe's Idempotency-Key header) to safely retry operations without processing them twice.

JWT jti Claims

Use a nonce as the JWT ID (jti) claim to uniquely identify each token, enabling token revocation and preventing replay attacks.

Session Identifiers

Generate cryptographically random session tokens for authentication cookies, ensuring session IDs cannot be predicted or brute-forced.

Output Formats Explained

Hexadecimal — Lowercase hex encoding (0-9, a-f). Produces 2 characters per byte. Best for CSP nonces, database IDs, and debugging. A 32-byte nonce yields a 64-character hex string.
Base64 — Standard Base64 encoding (A-Z, a-z, 0-9, +, /). More compact than hex — 32 bytes yields ~44 characters. Common for HTTP headers and cookie values.
Base64url — URL-safe Base64 encoding replacing + with - and / with _, with no padding. Required for OAuth state parameters, JWT claims, and any value passed in URLs or query strings.
Alphanumeric — Characters A-Z, a-z, 0-9 only. Maximally portable across systems — safe for HTML attributes, filenames, and legacy systems that reject special characters.

Frequently Asked Questions

How long should a nonce be?

For most security applications, 16-32 bytes (128-256 bits) provides sufficient entropy. OWASP recommends at least 128 bits for CSRF tokens. CSP nonces should be at least 16 bytes.

Is this generator secure enough for production?

Yes. This tool uses crypto.getRandomValues(), the same CSPRNG used by production libraries. However, nonces should typically be generated server-side for security-critical operations.

What is the difference between a nonce and a UUID?

UUIDs (v4) provide uniqueness but only 122 bits of randomness. Nonces are pure random bytes with configurable length, making them more suitable for cryptographic applications that require specific entropy levels.