Generate cryptographically secure API keys, tokens, and secrets. Choose from multiple formats including hex, base64, and UUID.
Use ⌘ + D to bookmark this toolAn API key is a unique string of characters used to authenticate requests to an API (Application Programming Interface). It acts as a secret token that identifies your application and grants access to specific services — like OpenAI's GPT models, Stripe's payment processing, or AWS cloud resources.
Unlike passwords, API keys are typically generated once and embedded in server-side code or environment variables. They should never appear in client-side code, version control, or public repositories. A compromised API key can give attackers full access to your account and services, which is why cryptographic randomness and proper key management are critical.
Characters 0-9 and a-f. The most common format for API keys and tokens. A 32-byte hex key produces a 64-character string with 256 bits of entropy.
Characters A-Z, a-z, 0-9, +, /. More compact than hex — a 32-byte key produces a 44-character string. Common in authentication headers and JWT secrets.
Like Base64 but URL-safe — uses - and _ instead of + and /. No padding. Ideal for keys that appear in URLs or query parameters.
Standard 128-bit format: 8-4-4-4-12 hex digits. Widely used for resource identifiers and some API systems. Provides 122 bits of randomness.
| Format | Bytes | Characters | Entropy | Use Case |
|---|---|---|---|---|
| Hex | 32 | 64 | 256 bits | Database IDs, signing secrets |
| Base64 | 32 | 44 | 256 bits | Auth headers, JWT secrets |
| Base64URL | 32 | 43 | 256 bits | URLs, query params |
| UUID v4 | 16 | 36 | 122 bits | Resource IDs |
| Alphanumeric | 32 | 32 | 190 bits | Human-readable tokens |
| Service | Prefix | Example | Type | Notes |
|---|---|---|---|---|
| Stripe | sk_ | sk_live_abc123... | Secret | Live vs test keys |
| OpenAI | sk- | sk-proj-xyz... | Secret | Project-scoped |
| AWS | AKIA | AKIAIOSFODNN7... | Access Key | Always 20 chars |
| GitHub | ghp_ | ghp_1234567890... | PAT | Fine-grained tokens |
| Twilio | SK | SK1234567890ab... | API Key | Account-level |
Using recognizable prefixes helps secret scanners (like GitHub's) detect leaked keys automatically.
Generate strong, random passwords with customizable length, character sets, and options.
Generate strong, memorable passphrases from random words. Easier to remember, just as secure.
Generate multiple unique passwords at once. Perfect for IT admins and account provisioning.
Generate strong, easy-to-share WiFi passwords for your home or office network.
Create a scannable QR code for your WiFi network. Guests connect instantly.
Generate cryptographically random PIN codes. Perfect for device locks and access codes.
Test how strong your password is. See estimated crack time, entropy, and suggestions.
Generate MD5 hashes from any text. Useful for checksums, cache keys, and legacy system compatibility.
Generate SHA-512 hashes using the native Web Crypto API. 512-bit security for signatures and integrity.
32 bytes (256 bits) is the standard recommendation for API keys and secrets. This provides security equivalent to AES-256 encryption. Use 16 bytes minimum for less critical applications.
The cryptographic randomness is production-grade (Web Crypto API). However, for team/enterprise environments, consider using a dedicated secret management system that handles rotation and access control.
API keys are typically long-lived credentials that identify an application. Tokens (like JWTs) are often short-lived, carry additional claims, and are tied to specific users or sessions.
UUIDs work as identifiers but only provide 122 bits of randomness. For security-sensitive keys (signing secrets, encryption keys), use 256-bit hex or base64 keys instead.
Base64 is the most common format for JWT signing secrets. Use at least 32 bytes (256 bits) for HS256 and 64 bytes (512 bits) for HS512. The key must be kept server-side only.
Rotate production keys every 90 days as a baseline. Rotate immediately if a key is exposed in logs, commits, or a breach. Use key management systems that support automatic rotation.