API Key & Secret Generator
Generate cryptographically secure API keys and secrets in hex, Base64url or alphanumeric.
Updated: June 26, 2026
0 bits of entropy
Generate secure API keys and secrets
API keys, client secrets, session tokens and webhook signing secrets all need
the same thing: enough unpredictable randomness that nobody can guess them.
This generator uses your browser's cryptographic random source
(crypto.getRandomValues) and lets you choose the encoding, length
and an optional prefix. The key is generated locally and never leaves your
machine — safe to use for real production secrets.
Which format should I use?
-
Base64url — compact and URL/JSON-safe (only
A–Z a–z 0–9 - _). The best default for tokens that travel in URLs, headers or config files. -
Hex — only
0–9 a–f. Longer for the same entropy, but unambiguous and easy to log; common for signing secrets. -
Alphanumeric —
A–Z a–z 0–9, no symbols. Handy when a key must be copied by hand or used where symbols cause trouble.
How much entropy do I need?
For secrets, aim for at least 128 bits of entropy; 256 bits is a comfortable margin for long-lived keys. The tool shows the entropy for your chosen length and format so you can size it correctly. As a guide, 128 bits is about 32 hex characters, or roughly 22 Base64url characters. More entropy costs you nothing here, so err on the generous side for anything long-lived.
Using a prefix
Many platforms prefix keys to make them identifiable — Stripe uses
sk_live_, GitHub uses ghp_. A prefix doesn't add
security, but it helps humans and secret-scanning tools recognise a leaked key
instantly. Add your own prefix in the field above; the random body keeps its
full entropy regardless.
Handle secrets responsibly
A generated key is only as safe as how you store it. Never commit secrets to source control, never log them, and rotate them periodically or immediately after any suspected exposure. Keep the canonical copy in a secrets manager or environment variables, not in code. When you must store a derived credential that will be checked later, hash it — see our bcrypt tool for password-style secrets and the HMAC generator for signing.
Frequently asked questions
Are these keys cryptographically secure?
Yes. They use the Web Crypto API's crypto.getRandomValues with unbiased character selection. The key is generated in your browser and never transmitted.
How long should an API key be?
Target at least 128 bits of entropy (about 32 hex or 22 Base64url characters); 256 bits is a safe choice for long-lived keys. The tool shows the entropy for your settings.
Does the prefix make the key more secure?
No. A prefix like sk_live_ only helps identify the key's type and owner, and assists secret-scanning tools. The security comes entirely from the random body.
Can I use this for session tokens and webhook secrets?
Yes. Any opaque, high-entropy secret — session tokens, signing secrets, client secrets — can be generated this way. Just store them securely and rotate when needed.
Secrets management platforms
Generating a key is easy; storing and rotating it safely at scale is the hard part:
- Secrets manager / vault Store, version and rotate API keys and secrets with audit logging and fine-grained access control.
- Secret-scanning / DLP tool Automatically detect keys accidentally committed to repositories or logs before attackers do.
Related tools
- Password GeneratorCreate strong, random passwords with custom length and character sets — generated securely in your browser.
- UUID Generator (v4 & v7)Generate random v4 UUIDs or time-ordered v7 UUIDs in bulk, ready to copy.
- HMAC Generator (SHA-1, SHA-256, SHA-512)Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- Password Strength & Entropy CheckerMeasure a password's entropy in bits and estimate how long it would take to crack.