API Key Generator
SecurityGenerate cryptographically secure API keys in hex, base62, or prefixed formats. Choose key length and format. Runs entirely in your browser — nothing stored.
What is a API Key?
An API Key Generator is a tool that produces cryptographically random secret tokens used to authenticate programmatic requests to an API, service, or system. API keys are how a server verifies that a request comes from an authorised client — they function as machine credentials, similar to passwords, but longer, fully random, and always stored programmatically rather than memorised.
The key quality that matters for an API key is unpredictability: it must be impossible for an attacker to guess the key even if they know the format, the system, or other keys issued by the same service. This tool uses crypto.getRandomValues(), the same cryptographic random source used by TLS key generation and browser-based cryptography libraries, ensuring every key is drawn from a uniform distribution with no exploitable pattern.
Generated keys run entirely in your browser with no server involvement. Nothing you generate is transmitted, logged, or stored anywhere — the value exists only in your browser tab until you copy it and close the page. For a unique identifier that doesn't need to be secret, use the UUID Generator instead. For a human-memorisable credential, the Password Generator is the right tool.
How to use this API Key calculator
- Select the Key Format — Hex for universal compatibility, Base62 for maximum entropy density, Prefixed if you want a self-describing key, or UUID-style for RFC 4122 compliance.
- If using the Prefixed format, enter your Custom Prefix — for example
sk_live,pk_test, orwebhook_v2. - Set the Key Length — 32 is the recommended default; increase only if your system policy requires it.
- Set Number of Keys to how many you need — up to 10 at once.
- Review the generated keys in the output panel.
- Click the copy icon to copy all keys to your clipboard, then store them immediately in your secret manager,
.envfile, or key vault. Do not leave secrets in your browser history or clipboard longer than necessary.
Formula & Methodology
The generator uses two character pools: - Hex:0123456789abcdef(16 characters — 4 bits per character) - Base62:0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(62 characters — ~5.95 bits per character) For each character in the key body, a 32-bit cryptographically random integer is drawn fromcrypto.getRandomValues()and reduced modulo the pool size to select a character. This is the same approach used by most production cryptographic key generators. Entropy by format and length: | Length | Hex (bits) | Base62 (bits) | |--------|-----------|---------------| | 16 | 64 | 95 | | 32 | 128 | 190 | | 64 | 256 | 381 | The UUID-style format uses 128 bits of raw random bytes, sets 6 bits to fixed values (version 4 marker and variant bits), leaving 122 bits of actual entropy — formatted as the standard 8-4-4-4-12 hex string with hyphens. The Prefixed format takes a user-supplied alphanumeric prefix (sanitised to remove any special characters), appends an underscore separator, then generates the random body using the base62 pool at the specified length. The prefix itself contributes no entropy — all randomness comes from the body.
Frequently Asked Questions
What is an API key generator?
An API key generator is a tool that produces cryptographically random secret tokens used to authenticate requests to an API or service. API keys are how a server identifies which client is making a request — they act as a password the client presents on every call. Generating one with true randomness ensures it cannot be guessed or brute-forced within a practical timeframe.
How secure are the API keys generated by this tool?
Very secure. The generator uses `crypto.getRandomValues()`, the Web Crypto API's cryptographically secure random number source — the same standard used for TLS keys and password managers. A 32-character hex key has 128 bits of entropy; a 32-character base62 key has approximately 190 bits. Neither can be guessed by any practical brute-force attack.
What is the difference between hex, base62, and prefixed formats?
Hex keys use only the characters 0–9 and a–f, producing the most compact representation of raw random bytes and the easiest to store without encoding issues. Base62 keys use 0–9, a–z, and A–Z, packing more entropy per character for the same visual length. Prefixed keys add a recognisable prefix (like `sk_live_`) before the random body, making it immediately obvious what type of credential a key is — a pattern popularised by Stripe and many modern APIs.
What is the prefixed format and how should I use the custom prefix?
The prefixed format prepends your chosen prefix (e.g. `sk_live`, `pk_test`, `api_v2`) followed by an underscore and a random base62 body. This makes the key self-describing: a key starting with `sk_live_` is visually distinct from `pk_test_`, reducing the chance of accidentally using a live key in a test environment. Enter any alphanumeric prefix up to 20 characters in the Custom Prefix field.
Is it safe to generate API keys in the browser?
Yes — everything runs locally in your browser using the device's hardware random source. No key you generate is ever sent to a server, stored in a database, or logged in any analytics event. The generated value exists only in your browser's memory while the page is open.
How long should my API key be?
32 characters (128 bits of entropy for hex, ~190 bits for base62) is the widely-used standard — this is what AWS, Stripe, and most major API providers use. There is no practical security benefit to going longer, but 64 characters provides extra margin if you prefer. The minimum of 16 characters (64 bits) is acceptable only for low-sensitivity internal tools with strict access controls.
Can the same key be generated twice?
Theoretically possible but practically impossible. A 32-character hex key has 2^128 ≈ 3.4 × 10^38 possible values. Even generating a million keys per second for the entire age of the universe would not exhaust a meaningful fraction of that space. Collisions are not something you need to worry about for any real-world usage.
Should I use this in production?
This tool is appropriate for generating keys to use in production systems — the randomness quality is the same as what cryptographic libraries provide. However, key management (storing keys securely, rotating them, revoking them, logging usage) is your responsibility. The tool only handles generation; it does not store, track, or manage the keys you create.
What is the UUID-style format?
The UUID-style format produces a version 4 UUID — a 36-character string in the format `xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx`, where the random bits are generated by `crypto.getRandomValues()`. This is identical to `crypto.randomUUID()`. Use it when your API key needs to look like a UUID for system compatibility, such as in platforms that validate API keys against the UUID format. For a standalone UUID, use the [UUID Generator](/uuid-generator/).
Can I generate multiple API keys at once?
Yes — up to 10 at a time using the Number of Keys field. Each key is generated independently with its own random seed, so all keys in a batch are unique. This is useful for provisioning multiple environments (dev, staging, prod) or generating a set of test credentials in one go.
How do API keys differ from passwords?
Passwords are typically shorter and designed to be memorised by a human; API keys are longer, machine-generated, and always stored programmatically (in environment variables, secret managers, or config files — never hardcoded). API keys are also typically rotated on a schedule or immediately after exposure, while passwords may persist longer. Use the [Password Generator](/password-generator/) when you need a human-memorable secret and this tool when you need a machine credential.
What characters are safe for API keys?
Hex keys (0–9, a–f) are universally safe — every system, URL, and log format handles them without escaping. Base62 keys (0–9, a–z, A–Z) are also safe in virtually all contexts. Both formats avoid special characters that could cause issues in environment variables, HTTP headers, shell scripts, or JSON values.