How do I generate an API key?

Pick a prefix (or none), choose a character set, set the random body length, and click Generate. For a typical secret key, sk_live_ with base62 and length 32 gives roughly 190 bits of entropy, which is far beyond brute-force reach. The full key is prefix plus random body, so sk_live_ plus 32 characters reads like sk_live_4f9Kp2... The key is produced locally with crypto.getRandomValues, then you copy it once and store only its hash on your server.

What does a prefix like sk_live_ mean?

The prefix is human-readable routing metadata, not part of the secret. Stripe popularised the pattern: sk means secret key, pk means publishable key, and live versus test marks the environment. When a key leaks into a log or a public commit, the prefix lets an automated scanner instantly tell whether to rotate a production credential or a harmless sandbox one. Because the prefix is predictable it adds zero entropy, which is why the strength panel measures only the random body.

How long should an API key be to be safe?

Aim for at least 128 bits of entropy in the random body, and 160 to 256 bits if it guards anything valuable. With base62 each character is worth about 5.95 bits, so length 22 reaches roughly 131 bits, length 27 reaches about 160 bits, and length 32 reaches about 190 bits. With hex each character is only 4 bits, so you need 32 hex characters for 128 bits. The strength panel does this math live as you adjust the length and charset.

Is generating an API key in the browser actually safe?

Yes, when the source is the Web Crypto API, which this tool uses exclusively through crypto.getRandomValues. That is a cryptographically secure generator seeded by the operating system, the same class of randomness a server would use. The keys are created in memory on your machine and never sent anywhere, logged, or written into the shareable URL. The honest caveat is your own device: generate on a machine you trust, and treat the result as a live credential the instant it exists.

What is the difference between an API key and a UUID?

A UUID is a 128-bit identifier with a fixed format and version bits, designed to be unique, not secret, so it is fine to expose in URLs and logs. An API key is a credential whose whole job is to be unguessable, so it wants maximum entropy and should be hashed at rest. Use a UUID to name a row; use an API key to authenticate a caller. If you want a short unique id rather than a secret, the NanoID or ULID tools fit better than this one.

Mint a live secret key for a new service or integration

You are wiring up a webhook receiver and need a bearer token your callers will send in the Authorization header. Pick the sk_live_ prefix, base62 charset, length 32 (about 190 bits), generate one, and the strength panel confirms it is far past any brute-force threat. Copy it once, store the hash on your side, and hand the plaintext to the client exactly once. Because generation is local, the only copy that ever existed off your machine is the one you deliberately send.

Issue separate keys for live and test environments

Stripe-style prefixes exist so a leaked key tells you instantly which environment it belongs to. Generate a batch with sk_live_ for production and a second batch with sk_test_ for staging, then seed each environment's secret store. When a key shows up in a log or a GitHub push, the prefix tells your scanner whether to rotate the real money path or just a sandbox token. Set count to the number of tenants you are provisioning and download the whole batch as a .txt.

Rotate a compromised key without downtime

A key leaked into a public repo. Generate a replacement with the same prefix and length so it slots into your existing validation regex, add it alongside the old one, deploy, then revoke the old key once traffic has moved over. Keeping the random body length identical means your column width, rate limiter keying, and log redaction rules all keep working with no schema change.

Generate base64url tokens that survive being put in a URL

Some flows put the token in a query string or path segment, where + and / from standard base64 would need percent-encoding. Switch the charset to base64url, which uses - and _ instead, so the key drops into a magic-link or password-reset URL untouched. Length 43 gives you 256 bits, matching a SHA-256 worth of entropy in a single copy-paste-safe string.

Stub realistic-looking keys for docs, demos, and tests

Your API reference needs example keys that look real but are not. Generate a handful with your real prefix, paste them into the docs and into snapshot-test fixtures, and they read as authentic without ever being valid against your auth server. Use a fixed batch so the docs and the tests reference the same throwaway strings instead of churning on every rebuild.

API Key Generator

Generate cryptographically random API keys and secret tokens with a custom prefix, length, and charset, with a live entropy readout, entirely in your browser.

Runs locally
Category Developer & DevOps
Best for Formatting, validating, shrinking, or inspecting code-adjacent text.

Prefix

Character set

Alphabet size: 62 chars

Body length

Count

Strength

Entropy (bits in the random body)

190.5

Full key length

40

Sample

sk_live_········…

Generated keys

Click Generate to produce API keys.

Settings ride in the URL. The keys themselves stay local and never enter the link.

What this tool does

A browser-based API key generator for developers who need to mint secret keys, bearer tokens, and access credentials without pasting sensitive values into some random website. Every key is built from crypto.getRandomValues, the same cryptographically secure source the Web Crypto API exposes, so the random body is genuinely unpredictable and never falls back to the insecure Math.random(). Add a routing prefix like sk_live_, pk_test_, or your own custom string, then choose a character set: base62 for clean alphanumeric keys, hex for lowercase 0-9 a-f, base64 url for tokens that drop straight into a URL, or base62 plus a safe set of symbols for maximum entropy per character. Tune the random body length from 8 to 128 and batch-generate up to 100 keys at once. The strength panel shows the entropy in bits, computed from the random body only since a prefix carries no secrecy, alongside the full key length and a masked sample. Copy a single key, copy all of them, or download the batch as a .txt file for seeding a secret store. Your settings ride in a shareable URL while the generated keys stay strictly local and re-randomise on every click. Zero dependencies, zero server round-trips, 100 percent client-side.

Tool details

Input: Text + Numbers; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy + Download; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Shareable URL state; Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget: Initial JS <= 9 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Developer & DevOps · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How API Key Generator fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

Formatting, validating, shrinking, or inspecting code-adjacent text.
Preparing snippets for documentation, tickets, commits, or handoff.
Checking a small payload quickly without switching tools.

Developer checks

Run irreversible transforms like minify or obfuscate on a copy.
Keep secrets out of pasted snippets unless the tool explicitly stays local.
Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Mint a live secret key for a new service or integration
You are wiring up a webhook receiver and need a bearer token your callers will send in the Authorization header. Pick the sk_live_ prefix, base62 charset, length 32 (about 190 bits), generate one, and the strength panel confirms it is far past any brute-force threat. Copy it once, store the hash on your side, and hand the plaintext to the client exactly once. Because generation is local, the only copy that ever existed off your machine is the one you deliberately send.
Issue separate keys for live and test environments
Stripe-style prefixes exist so a leaked key tells you instantly which environment it belongs to. Generate a batch with sk_live_ for production and a second batch with sk_test_ for staging, then seed each environment's secret store. When a key shows up in a log or a GitHub push, the prefix tells your scanner whether to rotate the real money path or just a sandbox token. Set count to the number of tenants you are provisioning and download the whole batch as a .txt.
Rotate a compromised key without downtime
A key leaked into a public repo. Generate a replacement with the same prefix and length so it slots into your existing validation regex, add it alongside the old one, deploy, then revoke the old key once traffic has moved over. Keeping the random body length identical means your column width, rate limiter keying, and log redaction rules all keep working with no schema change.
Generate base64url tokens that survive being put in a URL
Some flows put the token in a query string or path segment, where + and / from standard base64 would need percent-encoding. Switch the charset to base64url, which uses - and _ instead, so the key drops into a magic-link or password-reset URL untouched. Length 43 gives you 256 bits, matching a SHA-256 worth of entropy in a single copy-paste-safe string.
Stub realistic-looking keys for docs, demos, and tests
Your API reference needs example keys that look real but are not. Generate a handful with your real prefix, paste them into the docs and into snapshot-test fixtures, and they read as authentic without ever being valid against your auth server. Use a fixed batch so the docs and the tests reference the same throwaway strings instead of churning on every rebuild.

Common pitfalls

Generating keys with Math.random() in a quick script. Math.random() is a non-cryptographic PRNG: its state can be recovered from a few outputs, so an attacker who sees one key can predict the next. This tool uses crypto.getRandomValues exclusively. If you build your own generator, the byte source must be the Web Crypto API or a server-side CSPRNG, never the plain Math.random().
Trusting the prefix to add security. A prefix like sk_live_ is routing and scanning metadata, not a secret: it is predictable and contributes zero entropy. The strength panel here counts only the random body for exactly this reason. A 4-character random body behind a long fancy prefix is still trivially brute-forced, so size the body, not the label.
Storing the raw key in your database. Treat an API key like a password: keep only a salted hash (or an HMAC) and compare hashes on each request. If your database leaks and you stored plaintext keys, every one is immediately usable. Show the full key to the user exactly once at creation, then keep just the hash and a prefix for display.

Privacy

Every key is generated locally with your browser's crypto.getRandomValues. No key, prefix, or count is ever sent to a server, logged, or analysed. One thing to know about sharing: your settings (prefix, length, charset, count) ride in the URL query string so a shared link reproduces the configuration, but the generated keys themselves are deliberately kept out of the URL and are re-randomised on every Generate click. A share link therefore reveals only what shape of key you make, never an actual secret. Anything you generate here is a real credential the moment you put it into production, so treat it accordingly.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Developer

Browse all tools for this role

API Key Generator

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How API Key Generator fits into your work

Developer jobs

Developer checks

Good next steps

Real-world use cases

Mint a live secret key for a new service or integration

Issue separate keys for live and test environments

Rotate a compromised key without downtime

Generate base64url tokens that survive being put in a URL

Stub realistic-looking keys for docs, demos, and tests

Common pitfalls

Privacy

FAQ

UUID Generator

NanoID Generator

Password Generator

ULID Generator

AI Eval Planner

Apache Cheatsheet

API Rate Limit Cheatsheet

ASCII Table Generator

ASCII Table Reference

awk + sed Cheatsheet

AWS CLI Cheatsheet

AWS IAM Cheatsheet