Nonce Generator
Generate a cryptographically secure random nonce (number used once) for AES-GCM, OAuth/OpenID, CSP headers, and replay protection - Hex, Base64, and Base64URL
[ Nonce - Quick Summary ]
What: Generate a cryptographically secure random nonce - a "number used once". Supports Hex, Base64, Base64URL, and Alphanumeric encodings with configurable byte lengths (8-64 bytes, 64-512 bits of entropy). Uses CSPRNG (PHP random_bytes) so each nonce is unpredictable and never repeats in practice.
When to use: Initialization vectors / nonces for AES-GCM and ChaCha20-Poly1305, the nonce parameter in OAuth 2.0 / OpenID Connect authentication requests, per-request Content-Security-Policy script-src 'nonce-...' values, API request nonces for replay protection, and WebAuthn challenges.
Example: 3f8a1c9e5b2d7f04a6e1c8b0 (Hex, 12 bytes, 96 bits - the AES-GCM nonce size)
Security/Important: A nonce must be unique per key/context - never reuse the same nonce with the same key (catastrophic for AES-GCM). Use 12 bytes (96 bits) for AES-GCM, 16-24 bytes for general use. A nonce needs to be unique and, for auth flows, unpredictable - use this CSPRNG generator rather than counters when unpredictability matters. Nonces are single-use: generate a fresh one for every message, request, or page render.
Our nonce generator creates a cryptographically secure random nonce - a number used once - for cryptography, authentication, and web security. Generate a nonce in Hex, Base64, Base64URL, or Alphanumeric encoding with configurable byte lengths (8-64 bytes) using a cryptographically secure random number generator (CSPRNG). Perfect for AES-GCM and ChaCha20 initialization vectors, the OAuth 2.0 and OpenID Connect nonce parameter, per-request Content-Security-Policy nonces, API replay-protection tokens, and WebAuthn challenges. A nonce guarantees freshness: because it is used only once, it stops attackers from replaying a captured message or request. Related tools: an encryption key generator for the key that pairs with your GCM nonce, a UUID generator for unique identifiers, and a session secret generator for cookie signing. All nonces use CSPRNG for maximum unpredictability.
What is a Nonce Generator?
A nonce generator creates a random "number used once" - a value that is generated fresh for a single message, request, or session and never reused in the same context. Nonces solve two related problems: freshness and replay protection. In authenticated encryption such as AES-GCM or ChaCha20-Poly1305, the nonce (also called an IV) ensures that encrypting the same plaintext twice with the same key produces different ciphertext, and it must never repeat for a given key. In authentication flows like OAuth 2.0 and OpenID Connect, the client sends a random nonce with the request and checks that the same value comes back in the response, defeating replay and token-substitution attacks. Our generator uses a cryptographically secure random number generator (CSPRNG via PHP's random_bytes) so nonces are both unique and unpredictable.
The right size and encoding depend on the use case. AES-GCM expects a 12-byte (96-bit) nonce; general-purpose nonces use 16-24 bytes; Content-Security-Policy nonces are typically random base64 values regenerated on every page render. Choose Hex for IVs and low-level cryptography, Base64 or Base64URL for HTTP headers and OAuth parameters, and Alphanumeric when you need a value free of special characters. Whatever the format, the golden rule is one nonce, one use: generate a new value every time, and for AES-GCM in particular never pair the same nonce with the same key twice.
Nonce Generator Configuration
Count (1-50 Nonces)
Byte Length (8-64 bytes)
Encoding Format
How to Generate a Nonce
[STEP 1] Pick the Size for Your Use Case
Choose 12 bytes for AES-GCM, 16-24 bytes for general-purpose or OAuth nonces, or 32 bytes when you want maximum entropy. The size should match the algorithm or protocol you are targeting.
[STEP 1] Select an Encoding
Use Hex for cryptographic IVs, Base64URL for OAuth/OpenID nonce parameters and CSP header values, and Base64 for general HTTP use. Alphanumeric is handy when special characters are not allowed.
[STEP 1] Generate the Nonce
Click EXECUTE GENERATION to create nonces with CSPRNG security. Each nonce displays with a Copy button and shows its byte length, entropy bits, and strength assessment. All nonces use PHP's random_bytes for cryptographic randomness.
[STEP 1] Use It Once
Use each nonce a single time - as the IV for one encryption, the nonce parameter of one auth request, or the CSP nonce of one page render. Generate a fresh nonce for the next operation. For AES-GCM, never reuse a nonce with the same key.
Nonce Best Practices
- _ Never Reuse a Nonce with the Same Key - For AES-GCM and other AEAD ciphers, reusing a nonce with the same key breaks confidentiality and can leak the authentication key. Generate a fresh nonce for every message, or use a strictly increasing counter that never repeats for a given key.
- _ Match the Size to the Algorithm - Use exactly 12 bytes (96 bits) for AES-GCM, 24 bytes for XChaCha20-Poly1305, and 16 bytes for many general-purpose schemes. Using the wrong size can be rejected by your crypto library or reduce security.
- _ Use Unpredictable Nonces for Auth Flows - For OAuth 2.0 / OpenID Connect nonces, CSP nonces, and API replay protection, the value must be unpredictable, not just unique. Use this CSPRNG generator rather than timestamps or sequential counters, which an attacker could guess.
- _ Regenerate CSP Nonces Per Request - A Content-Security-Policy nonce must be freshly generated on every page render and injected into both the CSP header and the matching script/style tags. A static or reused CSP nonce provides no protection against injected scripts.
- _ Bind Auth Nonces to the Session - When using a nonce to prevent replay in OpenID Connect or API requests, store the issued nonce server-side (or in the user's session) and verify the returned value matches, then discard it. Reject requests whose nonce is missing, unknown, or already used.
- _ Pair with a Strong Key - A nonce is only half of authenticated encryption; the other half is the key. Generate the key with a dedicated encryption key generator and keep it secret. The nonce can be public; the key must not be.
Technical Implementation
Our nonce generator uses PHP's random_bytes (CSPRNG) ensuring cryptographic randomness, then encodes the bytes in your chosen format:
// Nonce Generation Algorithm
Algorithm: Cryptographically Secure Random Nonce Generation
// Step 1: Generate Random Bytes
byte_length = 12 (AES-GCM) or 16-32 (configurable: 8-64 bytes)
random_bytes = random_bytes(byte_length) // PHP CSPRNG
// Example: 12 bytes = 96 bits (AES-GCM nonce)
// Step 2: Encode Based on Format
if (format == "hex") then:
nonce = bin2hex(random_bytes)
// Example: 3f8a1c9e5b2d7f04a6e1c8b0 (24 hex chars for 12 bytes)
else if (format == "base64") then:
nonce = base64_encode(random_bytes)
else if (format == "base64url") then:
nonce = base64_encode(random_bytes)
nonce = strtr(nonce, '+/', '-_') // URL-safe chars
nonce = rtrim(nonce, '=') // Remove padding
else if (format == "alphanumeric") then:
charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
nonce = ''
for i = 0 to (byte_length * 2) do:
nonce += charset[random_int(0, 61)]
// Golden rule: use each nonce ONCE.
// AES-GCM: never reuse a nonce with the same key.
API Access for Developers
Frequently Asked Questions
What is a nonce?
What size nonce should I use for AES-GCM?
What is the difference between a nonce and a UUID?
What is a Content-Security-Policy (CSP) nonce?
script-src 'nonce-abc123') and repeat as the nonce attribute on the script/style tags you trust. The browser only executes tags whose nonce matches the header, blocking injected scripts. The nonce must be freshly generated on every request (never static or cached) and should be unpredictable - generate it with a CSPRNG like this tool, typically as a base64 value.
Can a nonce be predictable, or does it need to be random?
Is it safe to reuse a nonce?
[ HOW TO CITE THIS PAGE ]
Generate-Random.org. (2026). Nonce Generator. Retrieved from https://generate-random.org/nonce
Nonce Generator - Generate-Random.org (https://generate-random.org/nonce)