Secret Key Generator
SecurityGenerate secure random keys, API tokens, or passwords.
Discussion
Join the discussion
Sign in to share your thoughts and engage with the community.
About this tool
What is the Secret Key Generator?
The Secret Key Generator creates cryptographically random keys, passwords, API tokens, UUIDs, passphrases, and secrets using your browser's built-in Web Crypto API. Choose an output mode, configure the settings, and a new value is generated instantly — nothing is ever sent to a server.
Output Modes
Random string — the classic mode. Set a length and choose which character types to include: uppercase, lowercase, numbers, and symbols. The entropy panel shows exactly how strong the result is in bits, along with a crack time estimate.
UUID — generates a standard UUID in either v4 (fully random, 122 bits of entropy) or v7 (time-ordered, sortable, ideal for database primary keys) format. UUID v7 encodes the current timestamp in the top 48 bits, making generated IDs sortable by creation time — a significant advantage for indexed database columns.
Hex — generates a hexadecimal string from a specified number of random bytes. Every byte produces two hex characters. A 32-byte hex string is 256 bits and suitable for encryption keys, nonces, and HMAC secrets.
Base64url — encodes random bytes as a URL-safe Base64 string with no padding and no + or / characters. This format is used directly in JWTs, OAuth tokens, and HTTP Authorization headers without further encoding.
API key — generates a prefixed key in the style used by Stripe, Anthropic, and other services (sk_live_…, pk_…, api_…). Prefixed keys are easier to identify in logs, easier to rotate per environment, and harder to accidentally commit than bare random strings.
Passphrase — generates a memorable phrase from a wordlist, in the style of the XKCD 936 / EFF recommendation. Configure the number of words, separator, capitalization, and whether to append a number. Passphrases are significantly easier to type and remember than random strings while still providing strong security at five or more words.
How to Use the Generator
- Choose a mode. Click one of the six mode tabs at the top.
- Adjust the settings. Each mode has its own controls — length, byte count, prefix, word count, separator, and so on. The output updates automatically as you change any setting.
- Copy or regenerate. Click the copy icon to copy the output to your clipboard. Click the regenerate icon to generate a new value with the same settings.
- Read the entropy panel. Every output shows its strength in bits and an estimated crack time at one billion guesses per second, which is a realistic offline attack rate for a fast hash function.
Why Cryptographic Randomness Matters
Not all randomness is equal. JavaScript's Math.random() uses a deterministic pseudorandom number generator — its output is predictable given the seed, making it completely unsuitable for security-sensitive values.
This tool uses crypto.getRandomValues() exclusively, which draws entropy from the operating system — hardware timing, interrupt noise, and other genuinely unpredictable sources. The output is computationally infeasible to predict or reverse. For any value that needs to be a secret, this is the only acceptable approach.
To further eliminate modulo bias — a subtle flaw where some values appear slightly more often than others when mapping random bytes to a character set — the generator uses rejection sampling: values outside an exact multiple of the charset size are discarded and regenerated.
Understanding the Entropy Panel
Entropy is measured in bits. Each bit doubles the number of possible values an attacker would need to try. The crack time estimates assume an attacker making one billion guesses per second, which is achievable with commodity hardware attacking an unsalted fast hash (MD5, SHA-1). Against a properly salted slow hash (bcrypt, Argon2), crack times would be orders of magnitude longer.
The strength levels used by this tool:
- Weak — below 64 bits. Avoid for any security use.
- Fair — 64–95 bits. Acceptable for short-lived tokens; not recommended for long-lived secrets.
- Strong — 96–127 bits. Good for most applications.
- Excellent — 128 bits and above. Suitable for encryption keys, JWT secrets, and any high-value secret.
Note: crack time is shown for secrets and passwords. For UUIDs, crack time is not applicable — UUIDs are identifiers, not secrets, and guessing a UUID is not a relevant attack model.
Recommended Settings by Use Case
| Use case | Mode | Settings |
|---|---|---|
| Application password | Random | 20+ chars, all character types |
| JWT secret (HS256) | Base64url | 32 bytes (256 bits) |
| JWT secret (HS512) | Base64url | 64 bytes (512 bits) |
| API key | API Key. | sk_live_ prefix, 32-char body |
| Database primary key | UUID | v7 (sortable) |
| Unique identifier | UUID | v4 (fully random) |
| Encryption key | Hex | 32 bytes (AES-256) |
| HMAC secret | Hex or Base64url | 32 bytes minimum |
| Memorable password | Passphrase | 5+ words, append number |
| Session token | Random or Hex | 32 chars / 16 bytes |
Privacy
Key generation happens entirely in your browser using the Web Crypto API. No generated values, settings, or usage data are sent to any server or stored anywhere. Close the tab and the keys are gone.