๐ Passwords & Secrets
What Is an API Key? (And How to Keep It Secret)
By Justin Le
ยท 6 min read ยท Updated June 27, 2026 Almost every service you integrate with hands you an API key. They're simple in concept but easy to mishandle โ leaked keys are one of the most common causes of breaches. Here's what an API key is and how to treat it responsibly.
What is an API key?
An API key is a long, random string that identifies and authenticates an application (not a person) when it calls an API. The server checks the key on each request to decide whether to allow it and which account it belongs to. Think of it as a password for a program โ a secret that proves "this request is authorised."
API key vs password vs token
- Password โ authenticates a human; meant to be memorised; should be hashed at rest.
- API key โ authenticates an application; long and random; usually long-lived until rotated.
- Token (e.g. JWT) โ often short-lived, may carry claims, and is issued after an auth step. See our JWT guide.
Unlike a password, nobody needs to remember an API key, so it should be as long and random as practical.
How much randomness does a key need?
Security comes entirely from the key being unguessable. Aim for at least 128 bits of entropy; 256 bits is a comfortable margin for long-lived keys. In practical terms that's roughly 32 hex characters or about 22 Base64url characters. Generating keys from a cryptographic random source โ not a human-chosen phrase โ is essential.
What about prefixes?
Many providers prefix keys to make them recognisable: Stripe uses sk_live_,
GitHub uses ghp_. The prefix adds no security, but it helps humans and
automated secret-scanners spot a leaked key instantly. The random body is what protects
it.
Best practices for handling keys
- Never commit keys to source control. Leaked Git history is a top source of exposed secrets โ and bots scan public repos within minutes.
- Don't log them. Keys in log files or error messages are a common silent leak.
- Store them in environment variables or a secrets manager, not in code or config files checked into the repo.
- Scope and limit them. Use the narrowest permissions and, where possible, restrict by IP or domain.
- Rotate regularly and immediately after any suspected exposure. Treat rotation as routine, not an emergency-only action.
If a key leaks
Revoke it immediately, issue a new one, and check the provider's logs for unauthorised use. Because keys are long-lived, a leaked key can be abused until it's revoked โ speed matters.
Try it
Generate cryptographically strong keys โ in hex, Base64url or alphanumeric, with an optional prefix โ using our API key generator, which shows the entropy for your settings. For human passwords instead, see the password generator.
Frequently asked questions
What's the difference between an API key and a password?
A password authenticates a person and is meant to be memorised. An API key authenticates an application, is long and random, and nobody needs to remember it โ so it should have far more entropy.
How long should an API key be?
Target at least 128 bits of entropy (about 32 hex or 22 Base64url characters); 256 bits is a safe choice for long-lived keys. Always generate them from a cryptographic random source.
What should I do if my API key leaks?
Revoke it immediately, generate a replacement, and review the provider's logs for unauthorised use. Because keys are long-lived, fast revocation limits the damage.
Try the related tools
- API Key & Secret Generator Generate cryptographically secure API keys and secrets in hex, Base64url or alphanumeric.
- Password Generator Create strong, random passwords with custom length and character sets โ generated securely in your browser.
- UUID Generator (v4 & v7) Generate random v4 UUIDs or time-ordered v7 UUIDs in bulk, ready to copy.
Related guides
- What Is a JWT and How Does It Work? How JSON Web Tokens really work โ the header, payload and signature, what signing proves, and the security mistakes that bite teams.
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong โ entropy, length, uniqueness โ and the simple system that beats memorising rules.
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast โ which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.