Token generate

POST /api/token-generate

Generate cryptographically random tokens for session IDs, CSRF tokens, API keys, magic-link tokens. Configurable length and encoding (hex, base64url, base64).

Generates a cryptographically random token of the requested length and encoding. Use this for session IDs, CSRF tokens, invitation links, password-reset tokens, API keys — anything that needs to be unguessable. Options: - `bytes` (default 32): how many random bytes to generate. The resulting token string will be longer because the encoding expands. - `encoding`: `hex` (2× expansion), `base64url` (default, ~1.33× expansion, URL-safe), or `base64` (same expansion, uses `+/`). Returns the encoded token plus its bit-strength (8 × bytes).

Inputs

Name	Type	Default	Description
length	number (1…4096)	32	Token length, in characters of the chosen alphabet.
alphabet	enum (urlsafe \| hex \| alphanum \| base64)	"urlsafe"	Output alphabet.
count	number (1…1024)	1	How many tokens to emit.

Response

Modes: json. Cache: not cacheable.

Code samples

Built from the single-urlsafe-32 example.


curl -X POST https://api.xtract.bot/api/token-generate \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "length": 32,
  "alphabet": "urlsafe",
  "count": 1
}'