Random User Agent Generator

What is a user agent string?

A user agent (UA) string is a line of text that a browser sends in the User-Agent HTTP request header with almost every request. It is a self-reported identity: it tells the server which browser and version is asking, which rendering engine that browser uses, which operating system and version it runs on, and frequently the device type and CPU architecture. Servers read it to decide which version of a page or asset to return, analytics tools use it to break traffic down by browser and platform, and developers use it when debugging device-specific bugs. Because it is just a header that the client controls, it can be set to any value - which is exactly why a generator like this one is useful for testing.

Why does a user agent string look so messy?

Almost every modern UA still begins with Mozilla/5.0. This is a historical artefact from the 1990s browser wars: servers learned to sniff for "Mozilla" to decide whether a client could handle frames and rich content, so every browser that wanted those features had to claim to be Mozilla-compatible. The pattern stuck. Today Chrome, Edge, Opera, Brave and most other Chromium browsers also carry AppleWebKit/537.36 (KHTML, like Gecko) and a trailing Safari/537.36 token, even though they are neither Safari nor built on WebKit. This layered, backwards-compatible disguise is why UA strings read like a museum of every browser that ever mattered. Understanding the layers is the key to recognising a real UA from a fake one.

The anatomy of a user agent string

Take a typical desktop Chrome string and break it into its tokens:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

• Mozilla/5.0 - the legacy compatibility prefix described above. Present on nearly every browser.
• (Windows NT 10.0; Win64; x64) - the platform token. It declares the operating system (Windows NT 10.0 covers both Windows 10 and Windows 11), the platform (Win64) and the CPU architecture (x64). On a Mac you would see (Macintosh; Intel Mac OS X 10_15_7); on Android, something like (Linux; Android 14; Pixel 8).
• AppleWebKit/537.36 (KHTML, like Gecko) - the rendering-engine token. Chromium browsers freeze this at 537.36 for compatibility. Firefox uses Gecko/20100101 instead; real Safari uses its own WebKit build number.
• Chrome/124.0.0.0 - the product token: the browser brand and version. This is the part that changes most often as browsers update. Chrome now zeroes out the minor version components for privacy, reporting 124.0.0.0 rather than the exact build.
• Safari/537.36 - a trailing compatibility token that Chromium keeps so old Safari-specific server logic still serves modern content.

A Firefox string is shorter and more honest about its engine: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0. Safari on macOS looks like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15, where the real browser version lives in the Version/ token, not in Safari/. This tool builds each of these families from the correct token templates so the strings it produces parse the same way a real browser's would.

How this random user agent generator works

This is not a tool that hands back three hard-coded strings. For every user agent it produces, it:

1. Picks a browser family and an operating-system family - either the ones you selected, or random valid choices when you leave the filters on "Any". Impossible combinations (Safari on Windows, Edge on Linux, desktop Chrome on iOS) are excluded automatically, because iOS forces every browser onto WebKit and Safari does not exist outside Apple platforms.
2. Selects a realistic, recent major version for that browser and a matching OS version (for example a Chrome major in a current range, paired with Windows NT 10.0, a recent macOS, an Android release, or an iOS release).
3. Randomizes the version digits using crypto.getRandomValues() - the same cryptographically strong randomness used for security tokens - so each run yields genuinely different, non-sequential output rather than values from a tiny fixed list.
4. Assembles the tokens into the exact layout that the real browser uses, including the frozen engine build numbers and the trailing compatibility tokens, then returns valid strings you can paste straight into a request header or test harness.

Everything happens locally in your browser. No UA string is sent to or stored on our servers.

Legitimate uses - and where the line is

Random user agents are a normal part of building and testing software. Used responsibly, they help you:

• Test responsive and cross-browser layouts - confirm a page degrades gracefully for older browsers or renders correctly for mobile UAs without owning every device.
• Seed test and staging data - populate analytics dashboards, log pipelines and device-detection logic with a realistic spread of browsers and platforms.
• Develop and debug device-detection code - verify that your own UA-parsing logic classifies real-world strings correctly (pair this with our parser, linked below).
• Scrape politely and identify yourself honestly - when you build a crawler, set a descriptive UA and, where appropriate, contact details, rotate within reasonable limits, respect robots.txt and rate limits, and never hammer a site.

What random UAs do not do is make you anonymous. The UA is one weak signal among many; advanced fingerprinting combines TLS characteristics, header order, screen metrics, fonts, timing and behaviour, so spoofing the UA alone does not hide you. Please do not use generated strings to impersonate a specific person, evade access controls, defeat licensing or fraud checks, bypass paywalls, or violate a site's terms of service. The ethical rule of thumb: use a fake UA to test your own systems or to identify your bot honestly, never to deceive a service into treating you as someone you are not.

Can a server trust the user agent?

No - and that cuts both ways. Because the UA is fully client-controlled, a server can never treat it as proof of anything for security decisions; it is a hint for content negotiation and analytics, not an identity. That is also why the web platform is moving away from rich UA strings toward User-Agent Client Hints, a structured set of request headers (Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Mobile and friends) that disclose less by default and only reveal more detail when a site explicitly asks for it. Modern Chromium browsers already freeze and reduce parts of the classic UA string for this reason. For now, though, the legacy User-Agent header is still sent everywhere, so realistic generated strings remain useful for testing and tooling.

The User-Agent request header is defined in RFC 9110 (HTTP Semantics). The structured replacement, User-Agent Client Hints, is specified by the W3C. This generator reproduces the publicly documented token formats of mainstream browsers; it does not copy any single real device's string.

Related tools

• What Is My User Agent - see and parse your own UA, or decode any string you paste.
• What Is a MAC Address? - learn how another low-level identifier names your hardware on a network.