API Key Generator
Generate opaque, high entropy API keys for authenticating clients to your service, encoded as base64url and ready to use.
Keys are generated locally with the Web Crypto API. Nothing is sent to our servers.
No value yet. Press Regenerate.
This is an estimate based on random generation, not on whether a leaked password has been reused.
Generated locally in your browser. Nothing is sent to our servers, logged or stored.
What makes a good API key
An API key identifies and authenticates a caller. It should be long, random and free of any structure an attacker could predict or guess. A 32 byte key carries 256 bits of entropy, which is comfortably beyond brute force.
Treat keys like passwords. Store only a hash on your side, compare it on each request, and give every client its own key so you can revoke one without affecting the rest.
Best practices
- Use 32 bytes (256 bits) of entropy, encoded as base64url for compact, URL safe keys.
- Store a hash of the key, never the raw value, and compare on each request.
- Add a recognizable prefix so keys are easy to spot in logs and revoke.
More secret generators
Every generator below is the same local, Web Crypto powered tool, preset for a different job. Nothing you generate leaves your browser.
- Secure Password GeneratorPasswords, secrets, tokens and PINs in one place.
- OpenSSL Rand Generatoropenssl rand style base64 and hex secrets.
- JWT Secret GeneratorStrong HS256 signing secrets for JWT.
- Random Token GeneratorSession, reset and verification tokens.
- Passphrase GeneratorMemorable multi word passphrases.
- PIN GeneratorQuick numeric PIN codes.
Frequently asked questions
How long should an API key be?
Aim for at least 128 bits of entropy; 256 bits (32 random bytes) is a strong, common default. Encoded as base64url that is a 43 character key.
Why base64url for API keys?
Base64url is compact and URL and header safe, with no + / or = characters to escape. That makes the key easy to send in an Authorization header or query string.
Should I store API keys in plain text?
No. Store only a hash of the key, the same way you would a password. Compare the hash on each request so a database leak does not expose usable keys.
How do I revoke a key?
Give each client its own key and keep an identifier or prefix for it. To revoke, delete or disable that one record; other clients are unaffected.