API Key Generator
Generate cryptographically random API keys in multiple formats. Add custom prefixes and suffixes for branded keys like sk_live_...
Generated using crypto.getRandomValues(). 256 bits of entropy. Client-side only.
How to Use This Tool
Choose the key format: UUID (standard 36-char format), Hex (compact hexadecimal), Alphanumeric (URL-safe letters and numbers), or Base64 (URL-safe base64 encoding).
Add an optional prefix to create branded keys — for example, "sk_live_" produces keys like "sk_live_a3f8b2c1d4e5f6..." that are recognizable and easy to filter in logs.
Click "Generate" to produce a cryptographically random key using your browser's Web Crypto API. Store the generated key in a secrets manager or environment variable — it is shown only once.
Code Examples
const crypto = require('crypto');
// 256-bit hex key (64 chars) — most common format
const hexKey = crypto.randomBytes(32).toString('hex');
console.log('sk_live_' + hexKey);
// → sk_live_a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1
// Base64 URL-safe key
const b64Key = crypto.randomBytes(32).toString('base64url');
console.log('pk_' + b64Key);
// UUID format
const { randomUUID } = require('crypto');
const uuidKey = randomUUID().replace(/-/g, '');
console.log('key_' + uuidKey);Frequently Asked Questions
What format should my API key be in?
Hex (256-bit, 64 chars) is the most common format for backend API keys — it's compact, URL-safe, and has no ambiguous characters. Use UUID format when interoperability with UUID-aware systems is needed. Base64 URL-safe is shorter for the same entropy but requires padding handling. Alphanumeric works well for human-readable keys that may be typed.
How should I validate API keys in my application?
Store only the hash (SHA-256) of the API key in your database — not the key itself. When a request arrives, hash the provided key and compare it to the stored hash. This way, even if your database is breached, the actual keys remain secret. Show the full key to the user only once at creation time.
What is a good API key prefix strategy?
Use prefixes to identify key type and environment: "sk_live_" for production secret keys, "sk_test_" for test keys, "pk_live_" for publishable (client-side) keys. This makes it trivial to identify keys in logs, rotate by type, and set up automatic scanning rules in tools like GitHub secret scanning.
How often should I rotate API keys?
Rotate immediately if a key is exposed or you suspect compromise. For planned rotation, quarterly rotation is a reasonable baseline for production keys. Implement a rotation strategy that supports multiple valid keys simultaneously during the transition window to avoid downtime.