NIXX/DEVv1.14.0
ArticlesFavorites
Sign In
Sign In
50+ Free Tools

Simple Online Tools for Everyday Work

Free, fast, no-signup tools for developers and everyday tasks.

API Key Generator — Create Secure API Keys

Generate cryptographically secure API keys for your applications. Choose key length, format (hex, base64, alphanumeric), and character set. All generation uses the browser's crypto API — keys are never transmitted or stored.

Tips

  • Use at least 32 characters

    API keys should be at least 32 characters (128 bits of entropy) to resist brute-force attacks. For high-security applications, use 64 characters or more.

  • Prefer hex or base64 format

    Hex (0–9, a–f) and base64 (A–Z, a–z, 0–9, +, /) formats are URL-safe and easy to transmit in HTTP headers. Avoid special characters that need URL encoding.

  • Never commit keys to version control

    Store API keys in environment variables (.env files), not in your code. Add .env to .gitignore and use secret management services like AWS Secrets Manager in production.

  • Rotate keys regularly

    Rotate API keys every 90 days or immediately after a suspected compromise. Build key rotation into your deployment process from the start.

Secret Key Generator

Security

Generate secure random keys, API tokens, or passwords.

About this tool

What is the Secret Key Generator?

The Secret Key Generator creates cryptographically random keys, passwords, API tokens, UUIDs, passphrases, and secrets using your browser's built-in Web Crypto API. Choose an output mode, configure the settings, and a new value is generated instantly — nothing is ever sent to a server.

Output Modes

Random string — the classic mode. Set a length and choose which character types to include: uppercase, lowercase, numbers, and symbols. The entropy panel shows exactly how strong the result is in bits, along with a crack time estimate.

UUID — generates a standard UUID in either v4 (fully random, 122 bits of entropy) or v7 (time-ordered, sortable, ideal for database primary keys) format. UUID v7 encodes the current timestamp in the top 48 bits, making generated IDs sortable by creation time — a significant advantage for indexed database columns.

Hex — generates a hexadecimal string from a specified number of random bytes. Every byte produces two hex characters. A 32-byte hex string is 256 bits and suitable for encryption keys, nonces, and HMAC secrets.

Base64url — encodes random bytes as a URL-safe Base64 string with no padding and no + or / characters. This format is used directly in JWTs, OAuth tokens, and HTTP Authorization headers without further encoding.

API key — generates a prefixed key in the style used by Stripe, Anthropic, and other services (sk_live_…, pk_…, api_…). Prefixed keys are easier to identify in logs, easier to rotate per environment, and harder to accidentally commit than bare random strings.

Passphrase — generates a memorable phrase from a wordlist, in the style of the XKCD 936 / EFF recommendation. Configure the number of words, separator, capitalization, and whether to append a number. Passphrases are significantly easier to type and remember than random strings while still providing strong security at five or more words.

How to Use the Generator

  1. Choose a mode. Click one of the six mode tabs at the top.
  2. Adjust the settings. Each mode has its own controls — length, byte count, prefix, word count, separator, and so on. The output updates automatically as you change any setting.
  3. Copy or regenerate. Click the copy icon to copy the output to your clipboard. Click the regenerate icon to generate a new value with the same settings.
  4. Read the entropy panel. Every output shows its strength in bits and an estimated crack time at one billion guesses per second, which is a realistic offline attack rate for a fast hash function.

Why Cryptographic Randomness Matters

Not all randomness is equal. JavaScript's Math.random() uses a deterministic pseudorandom number generator — its output is predictable given the seed, making it completely unsuitable for security-sensitive values.

This tool uses crypto.getRandomValues() exclusively, which draws entropy from the operating system — hardware timing, interrupt noise, and other genuinely unpredictable sources. The output is computationally infeasible to predict or reverse. For any value that needs to be a secret, this is the only acceptable approach.

To further eliminate modulo bias — a subtle flaw where some values appear slightly more often than others when mapping random bytes to a character set — the generator uses rejection sampling: values outside an exact multiple of the charset size are discarded and regenerated.

Understanding the Entropy Panel

Entropy is measured in bits. Each bit doubles the number of possible values an attacker would need to try. The crack time estimates assume an attacker making one billion guesses per second, which is achievable with commodity hardware attacking an unsalted fast hash (MD5, SHA-1). Against a properly salted slow hash (bcrypt, Argon2), crack times would be orders of magnitude longer.

The strength levels used by this tool:

  • Weak — below 64 bits. Avoid for any security use.
  • Fair — 64–95 bits. Acceptable for short-lived tokens; not recommended for long-lived secrets.
  • Strong — 96–127 bits. Good for most applications.
  • Excellent — 128 bits and above. Suitable for encryption keys, JWT secrets, and any high-value secret.

Note: crack time is shown for secrets and passwords. For UUIDs, crack time is not applicable — UUIDs are identifiers, not secrets, and guessing a UUID is not a relevant attack model.

Recommended Settings by Use Case

Use case Mode Settings
Application password Random 20+ chars, all character types
JWT secret (HS256) Base64url 32 bytes (256 bits)
JWT secret (HS512) Base64url 64 bytes (512 bits)
API key API Key. sk_live_ prefix, 32-char body
Database primary key UUID v7 (sortable)
Unique identifier UUID v4 (fully random)
Encryption key Hex 32 bytes (AES-256)
HMAC secret Hex or Base64url 32 bytes minimum
Memorable password Passphrase 5+ words, append number
Session token Random or Hex 32 chars / 16 bytes

Privacy

Key generation happens entirely in your browser using the Web Crypto API. No generated values, settings, or usage data are sent to any server or stored anywhere. Close the tab and the keys are gone.

Discussion

Join the discussion

Sign in to share your thoughts and engage with the community.

Sign In
Loading comments…

Users also viewed

  • State Machine Visualizer
  • Image Converter
  • JSON Formatter & Validator
  • Profit Margin Calculator
  • Sitemap Generator
  • Invoice Generator & PDF Creator
🇺🇸USD ACCOUNTOpen a free US-based USD accountReceive & save in USD — powered by ClevaSponsoredInterserver Hosting#1 VALUEAffordable, reliable hosting from $2.50/mo99.9% uptimeSponsored

More Security tools

8

State Machine Visualizer

Visualize and interact with finite state machines using JSON configuration.

DeveloperVisualize State Machine →

Image Converter

New

Convert images between JPEG, PNG, WebP, BMP, and GIF formats instantly. Free, browser-based — no upload to server.

AI & ProductivityConvert Image →

JSON Formatter & Validator

Format, beautify, and validate JSON data online — free JSON linter.

DeveloperFormat & Validate JSON →

Profit Margin Calculator

Calculate your profit margin based on cost and revenue.

Finance & BusinessCalculate Profit Margin →

Sitemap Generator

Generate XML sitemaps instantly to improve SEO.

DeveloperGenerate Sitemap →

Invoice Generator & PDF Creator

Easily create, preview, and download invoices in PDF format.

Finance & BusinessCreate Invoice →

JWT Decoder

Decode and inspect JSON Web Tokens — view header, payload, and claims instantly.

SecurityDecode JWT →

Device Info

Identify and analyze your browser, operating system, and device details.

UtilityAnalyze Device Info →
|Made with · © 2026|TermsPrivacy
AboutBlogContact

Free, open-source tools for developers and creators · Community driven