API Key Generator — Create Secure API Keys
Generate cryptographically secure API keys for your applications. Choose key length, format (hex, base64, alphanumeric), and character set. All generation uses the browser's crypto API — keys are never transmitted or stored.
Tips
Use at least 32 characters
API keys should be at least 32 characters (128 bits of entropy) to resist brute-force attacks. For high-security applications, use 64 characters or more.
Prefer hex or base64 format
Hex (0–9, a–f) and base64 (A–Z, a–z, 0–9, +, /) formats are URL-safe and easy to transmit in HTTP headers. Avoid special characters that need URL encoding.
Never commit keys to version control
Store API keys in environment variables (.env files), not in your code. Add .env to .gitignore and use secret management services like AWS Secrets Manager in production.
Rotate keys regularly
Rotate API keys every 90 days or immediately after a suspected compromise. Build key rotation into your deployment process from the start.
Secret Key Generator
SecurityGenerate secure random keys, API tokens, or passwords.
About this tool
What is the Secret Key Generator?
The Secret Key Generator creates cryptographically random keys, passwords, API tokens, and secrets using your browser's built-in cryptographic random number generator. Choose the length, select which character sets to include, and generate as many keys as you need — instantly, with nothing sent to any server.
How to Use the Generator
- Set the length. Use the slider or input to choose how many characters your key should be.
- Select character sets. Toggle which types of characters to include:
- Uppercase letters (A–Z)
- Lowercase letters (a–z)
- Numbers (0–9)
- Symbols (
!@#$%^&*etc.)
- Generate. A new random key is created immediately. Click Generate again for a different key.
- Copy. Click the Copy button to put the key on your clipboard.
Why Cryptographic Randomness Matters
Not all random is equal. A standard Math.random() call in JavaScript uses a pseudorandom number generator (PRNG) — its output is deterministic and predictable given its seed. Cryptographic randomness (crypto.getRandomValues()) uses entropy from the operating system — hardware events, timing variations, and other unpredictable sources — producing output that is computationally infeasible to predict.
This tool exclusively uses crypto.getRandomValues(). For passwords, API keys, session tokens, and anything that needs to be genuinely secret, this is the correct approach.
Recommended Key Lengths by Use Case
| Use case | Recommended length | Notes |
|---|---|---|
| Website passwords | 16–20 characters | Use a password manager to store |
| API keys | 32–64 characters | Alphanumeric or hex format |
| JWT secrets (HS256) | 32+ characters | Minimum 256 bits of entropy |
| JWT secrets (HS512) | 64+ characters | Minimum 512 bits of entropy |
| Session tokens | 32 characters | Random, not predictable |
| Encryption keys | 32 or 64 characters | Match key size to algorithm |
| CSRF tokens | 16–32 characters | Single-use per form |
Character Set Considerations
Alphanumeric only (A–Z, a–z, 0–9) — URL-safe, compatible with most APIs and systems that don't accept special characters. Slightly lower entropy per character than full character sets.
Including symbols — increases entropy per character, producing stronger keys at the same length. Some systems restrict which symbols are valid; check before using.
Hex (0–9, a–f) — commonly used for API keys and cryptographic keys because hex encodes cleanly without special characters. A 64-character hex string represents 32 bytes (256 bits) of entropy.
Base64 — encodes 6 bits per character, more compact than hex. Used in JWTs, encoded credentials, and some API authentication schemes.
Privacy
Key generation happens entirely in your browser using the Web Crypto API. No keys, settings, or usage data are sent to any server or stored anywhere. Close the tab and the generated keys are gone.
Discussion
Join the discussion
Sign in to share your thoughts and engage with the community.