Free API Key Generator
Generate secure API keys, bearer tokens, and access secrets. 256 bits of entropy by default, configurable to 128 / 192 / 384 / 512 bits. Output in hex, URL-safe base64, or alphanumeric. Cryptographically random, runs in your browser.
256 bits of entropy. Generated locally using crypto.getRandomValues.
When to use this
Use this generator any time you need a long, random token for authentication or authorization: REST API authentication, webhook signing secrets, OAuth client secrets, bearer tokens, per-user access tokens, or service-to-service authentication.
Storage best practices
- Never commit API keys to git. Use environment variables or a secrets manager.
- Rotate periodically. Bake key versioning in from the start.
- Scope narrowly. A read-only key should not have write permissions.
- Use HTTPS only. Sending an API key over HTTP exposes it on every request.
- Log key prefixes, not full keys. The first 8 chars are enough to identify a key in logs without leaking it.
Frequently asked questions
An API key is a secret token that identifies your application to a server. It is sent in HTTP headers (typically Authorization: Bearer …) on each request. Keys must be long and unpredictable; 256 bits of entropy (32 bytes) is the modern standard.
32 bytes (256 bits) is the modern default. 16 bytes (128 bits) is the absolute minimum for any production system. Anything shorter is brute-forceable.
hex is the most compatible (only 0-9, a-f). base64url is shorter and URL-safe. alphanumeric is human-pronounceable and works in form fields that strip special characters. All three have identical entropy at the same byte count.
Conventional prefixes like sk_ (secret key), pk_ (public key), or tok_ (token) help operators distinguish key types in logs and prevent accidental misuse. Stripe, GitHub, and OpenAI all use this pattern.
Yes. Keys are generated entirely in your browser using crypto.getRandomValues — the Web Crypto API. Nothing is transmitted, logged, or stored.
