What does openssl rand do?

openssl rand reads from the operating system's cryptographically secure random number generator (CSPRNG) — /dev/urandom on Linux and macOS, BCryptGenRandom on Windows — and outputs the result in the encoding you specify.

This tool uses crypto.getRandomValues(), the browser's CSPRNG, which draws from the same OS source. The output is statistically equivalent to OpenSSL's — there is no practical security difference.

base64 vs hex — which to use?

base64 — more compact (33% shorter than hex for the same bytes). Used by Auth.js (AUTH_SECRET), Django password hashers, and most HMAC signing keys. Output contains +, /, and = padding — quote the value in your .env if it contains special characters.
hex — longer but URL-safe and shell-safe without quoting. Used by Rails (SECRET_KEY_BASE, RAILS_MASTER_KEY), API tokens stored in databases, and webhook secrets.

Common commands and what they're for

openssl rand -base64 32 — 32 random bytes → 44-char base64. Used for AUTH_SECRET, SESSION_SECRET, symmetric encryption keys.
openssl rand -hex 32 — 32 random bytes → 64-char hex. Used for API tokens, webhook secrets, database tokens.
openssl rand -hex 16 — 16 random bytes → 32-char hex. Used for RAILS_MASTER_KEY, AES-128 keys, short tokens.
openssl rand -base64 48 — 48 random bytes → 64-char base64. Used for HS384 JWT secrets.

Related tools

NextAuth Secret Generator — AUTH_SECRET for Auth.js / Next.js
JWT Secret Generator — HS256/HS384/HS512 signing keys
Rails Secret Key Generator — SECRET_KEY_BASE and RAILS_MASTER_KEY
Secret Generator — general-purpose secrets for any stack