API Key Generator
Generate secure, random API keys in multiple formats.
What is an API key?
An API key is a unique string used to authenticate requests from a client application to an API. It serves as both identification (who is making the request) and authentication (proving they are allowed to). Unlike usernames and passwords, API keys are typically long, random strings designed for machine-to-machine communication rather than human memorisation.
API key formats in common use
| Service | Format example | Notes |
|---|---|---|
| OpenAI | sk-proj-...48 chars alphanumeric | sk- prefix indicates "secret key" |
| Anthropic Claude | sk-ant-api03-...random | Hierarchical prefix identifies service |
| Stripe | sk_live_... / sk_test_... | Live vs. test keys clearly distinguished |
| GitHub | ghp_...40 hex chars | ghp = GitHub Personal token |
| AWS | 20-char uppercase + 40-char secret | Two-part: Access Key ID + Secret Access Key |
| Google Maps | 39-char alphanumeric | Often further restricted by domain/IP/referrer |
API key security best practices
- Never commit API keys to version control. Use environment variables or secrets managers (AWS Secrets Manager, HashiCorp Vault, GitHub Secrets). If a key is committed, rotate it immediately β git history is permanent.
- Apply the principle of least privilege. Create keys with only the permissions the application needs. A read-only key cannot be used to delete data even if compromised.
- Rotate keys regularly. Treat API keys like passwords: change them on a schedule and immediately whenever a potential exposure occurs.
- Use different keys for different environments. Separate keys for development, staging, and production prevent a test environment breach from affecting production data or billing.
Frequently asked questions
Are these API keys secure?
They are generated locally in your browser using cryptographically random values and are never transmitted or stored by this site. What you do with them afterwards is up to you.
What length should an API key be?
For most uses, 32 characters or more of random data provides strong, practically unguessable keys. Longer keys add more entropy for highly sensitive systems.
How should I store API keys safely?
Keep them in environment variables or a secrets manager β never commit them to source control or expose them in client-side code. Rotate them periodically.
What is the difference between an API key and a token?
An API key is a long-lived identifier for an application, while a token (like a JWT) usually represents a session or user and often expires. Both authenticate requests.
API keys are randomly generated strings used to authenticate requests. Hex format: uses 0-9 and a-f (128-bit entropy for 32 chars) Alphanumeric: uses A-Z, a-z, 0-9 (190-bit entropy) Base64: includes +/ for maximum entropy