API Key / Token Generator
Generate secure random API keys and tokens in various formats and lengths.
API Keys
About API Key Generation
API keys are opaque tokens used to authenticate requests to an API. They identify the calling application or user and allow API providers to control access, enforce rate limits, and audit usage. Unlike username/password pairs, API keys are designed to be included in automated requests without human intervention.
What makes a good API key?
- Sufficient entropy — An API key should be long enough that it cannot be guessed or brute-forced. A 256-bit (32-byte) random key provides approximately 1077 possible values — effectively unguessable.
- Cryptographically random — Generated using a cryptographically secure random number generator (CSPRNG), not a predictable sequence like a timestamp or sequential ID.
- URL-safe encoding — Keys are typically encoded in hex or Base64 to avoid special characters that might interfere with HTTP headers or query strings.
- Unique prefix — Some services (e.g. GitHub, Stripe) add a short prefix (
sk_live_,ghp_) to make keys immediately identifiable and searchable in code.
API key security best practices
- Never hardcode API keys in source code. Use environment variables or a secrets manager.
- Store keys hashed on the server (using SHA-256) so that even a database breach doesn't expose the raw key.
- Rotate keys regularly and revoke keys immediately if compromise is suspected.
- Restrict API key permissions to the minimum required scope.
- Set IP allowlists where supported to prevent use from unexpected locations.
Frequently asked questions
Are these keys cryptographically secure?
Yes. Keys are generated using window.crypto.getRandomValues() which is a CSPRNG (cryptographically secure pseudo-random number generator) built into modern browsers.
How long should an API key be?
For most use cases, 32 bytes (64 hex chars) provides 256 bits of entropy which is more than sufficient. For higher-security tokens, use 48 or 64 bytes.