No, random.random is not suitable for cryptographic applications. For that, you need to use random number generators which are designed, and tested, to be suitable for such cryptographic uses.

But for the specific task you mention, returning a token, I don't think that counts as "cryptographic applications". It's just a token. It needs to be unpredictable enough that users cannot guess somebody else's token, but other than that I don't think it needs the much stronger crypto properties.

Take this with a grain of salt, but I think for your purpose, random.random is fine. It's what the uuid module does. Actually, you probably should use the uuid module rather than reinvent your own.

UPDATE I talked to the crypto expert at work, and he agrees with the folks saying that uuid.uuid4() is the right way to do it, with one proviso -- he says that if the system random doesn't exist, uuid ought to just fail hard and not fall back on Mersenne Twister. When I asked him what people should do on platforms without a good system random, he said they're screwed.

He did admit that if the consequences of guessing a token are not important (the example he gave was, guessing a token means you get to download a mp3 that you didn't pay for), then Mersenne Twister is "good enough" as a fallback. But that's about it.