We are using Java and we are planning to create a reusable API that can be used to generate and validate custom tokens. This is how we will do it
Step 1: Generate a random number using a good a CSPRNG (Cryptographically Secure Pseudorandom Number Generator) . This will be the seed of the token
Step 2: Hash the seed using a salt. The hashed version will be the token.
My question is, if the token is created by hashing anyway, is it still necessary that the seed is generated from a good CSPRNG? would it matter?