🔑 API Key Generator: Secure Random Tokens and Secret Keys

By ToolNimba Engineering Team · Updated 2026-06-23

Length (random characters)

Format

Prefix (optional)

How many keys?

Set your options and press Generate keys. Everything runs in your browser and nothing is sent anywhere.

This API key generator creates strong, random tokens and secret keys right in your browser. Choose the length, pick a format (hexadecimal, base64url, or alphanumeric), add an optional prefix, and generate one or many keys at once. Every value is built from your browser cryptographic randomness, so nothing is ever sent over the network. Generate the keys, copy them, and paste them straight into your environment file, secret manager, or config.

What is the API Key Generator?

An API key is a string of characters that identifies and authenticates an application or user when it calls an interface. Because anyone holding the key can act with its privileges, the key needs to be unpredictable. The safest way to achieve that is to draw the characters from a cryptographically secure random source rather than from a regular pseudo-random function. In the browser that source is the Web Crypto API, specifically crypto.getRandomValues, which is exactly what this tool uses for every character it produces. Server-side equivalents are crypto.randomBytes in Node.js and secrets.token_bytes in Python.

The format you pick changes which characters appear, not how the randomness is generated. Hexadecimal uses 16 symbols (0 to 9 and a to f), so each character carries 4 bits of entropy. Alphanumeric uses 62 symbols (A to Z, a to z, 0 to 9), giving about 5.95 bits per character. Base64url uses 64 symbols (the alphanumeric set plus a hyphen and an underscore), giving a clean 6 bits per character and staying safe to drop into URLs and file names without escaping. More entropy per character means a shorter string can still be very hard to guess. All three formats start from the same random bytes; only the encoding differs.

How long should a key be? The widely cited guidance from OWASP and major API providers is at least 128 bits of entropy, with 256 bits as a comfortable default that costs nothing extra. In practice that means roughly 32 hexadecimal characters, 22 alphanumeric characters, or 22 base64url characters for the 128-bit floor, and double those lengths for 256 bits. A key built this way cannot be brute forced with any realistic amount of computing power, so length is the single most important security choice you make here.

A prefix is a short label placed in front of the random part, such as sk_live_ or tn_. Prefixes do not add security, they add clarity: they let you tell a publishable key from a secret one at a glance, route the key to the right system, and let secret scanners such as GitHub secret scanning detect a leaked credential by its recognizable pattern. This generator keeps the prefix separate from the random body so the strength of the key always comes from the random portion, never from the label.

Generating the key is only half the job. The other half is storage. A raw API key should be shown to its owner exactly once, at creation time, and never stored in plain text on your server. The standard pattern is to hash the key with SHA-256, save only the hash plus a short non-secret prefix for lookup, and compare hashes on every request. If your database is ever leaked, the stored hashes are useless to an attacker, exactly like hashed passwords. Pair this with rotation (replacing keys on a schedule such as every 90 days), per-service keys so one leak does not expose everything, and scopes that limit what each key can do.

Never build a secret from Math.random, a timestamp, an auto-increment ID, a UUID, or any value derived from user data. Those sources are predictable or insufficiently random and have led to real account-takeover incidents. The only safe input for a secret is a CSPRNG, which is precisely what this generator uses. Treat the output as sensitive from the moment it appears: copy it into a secret manager or an environment variable, keep it out of version control, and revoke and replace it the instant you suspect it has leaked.

When to use it

Creating a secret key, bearer token, or access token for a new service, microservice, or webhook integration.
Generating a random API key to store in a .env file or a secret manager during local development.
Producing a batch of unique tokens at once for seeding a database, testing, or issuing to multiple clients.
Adding a recognizable prefix so publishable and secret keys can be told apart and scanned for in code.
Generating a strong client secret, signing key, or session token where a CSPRNG random string is required.
Rotating an existing key by minting a fresh value of the same length and format before retiring the old one.

How to use the API Key Generator

Set the length, meaning how many random characters the key should contain (longer is harder to guess; 32 or more for a secret).
Choose a format: hexadecimal, base64url, or alphanumeric.
Optionally type a prefix such as sk_live_ to label the key.
Set how many keys you want and press Generate keys.
Copy one key with its own button, or use Copy all to grab the whole batch, then paste into your secret manager or .env file.

Formula & method

entropy (bits) = length × log2(alphabet size). Hex = 4 bits per char, alphanumeric ≈ 5.95 bits per char, base64url = 6 bits per char. The prefix adds no entropy.

Worked examples

You generate a 32-character base64url key with no prefix.

Base64url has 64 symbols, so each character carries log2(64) = 6 bits.
Total entropy = 32 × 6 = 192 bits.
Possible values = 64 to the power of 32, far beyond any feasible brute-force guess.

Result: A 32-char base64url key holds about 192 bits of entropy, more than enough for a secret key.

You generate a 40-character hexadecimal key with the prefix tn_.

Hex has 16 symbols, so each character carries log2(16) = 4 bits.
Total entropy = 40 × 4 = 160 bits (the tn_ prefix adds none).
The stored key reads tn_ followed by 40 random hex characters.

Result: A 40-char hex body gives 160 bits of entropy; the prefix is only a readable label.

You need the shortest key that still clears the 128-bit security floor in alphanumeric format.

Alphanumeric carries about 5.95 bits per character.
Required length = 128 / 5.95, which rounds up to 22 characters.
Set length to 22 and format to alphanumeric, then generate.

Result: A 22-character alphanumeric key reaches about 131 bits, just over the recommended 128-bit minimum.

Bits of entropy by format and length (random body only, prefix excluded)

Length (chars)	Hex (4 bits)	Alphanumeric (≈5.95 bits)	Base64url (6 bits)
16	64 bits	95 bits	96 bits
24	96 bits	143 bits	144 bits
32	128 bits	190 bits	192 bits
48	192 bits	286 bits	288 bits
64	256 bits	381 bits	384 bits

Character sets used by each format

Format	Alphabet	Symbols	URL-safe
Hexadecimal	0-9, a-f	16	Yes
Alphanumeric	A-Z, a-z, 0-9	62	Yes
Base64url	A-Z, a-z, 0-9, hyphen, underscore	64	Yes

Recommended minimum length to reach common entropy targets

Security target	Hex chars	Alphanumeric chars	Base64url chars
128 bits (minimum for secrets)	32	22	22
192 bits (strong)	48	33	32
256 bits (comfortable default)	64	43	43
512 bits (high-security, finance/health)	128	86	86

Common mistakes to avoid

Treating the prefix as part of the security. A prefix like sk_live_ is a label, not a secret. All of the strength comes from the random body, so keep the random part long enough (24 characters or more) regardless of the prefix.
Making keys too short to save space. A very short key is faster to type but far easier to guess. For a secret key, aim for at least 128 bits of entropy, which is about 32 hex characters or 22 base64url characters.
Committing a generated key to a public repository. Once a secret key is pushed to a public repo it is compromised, even if you delete it later. Store keys in environment variables or a secret manager and add them to your ignore file.
Reusing one key everywhere. Sharing a single key across many services means one leak exposes all of them. Generate a separate key per service or client so you can rotate or revoke just the affected one.
Storing the raw key in your database. Keep only a SHA-256 hash of the key plus a short prefix for lookup, and show the raw value to the owner just once. A leaked database of hashes cannot be turned back into working keys.
Generating the secret from Math.random or a UUID. Math.random, timestamps, auto-increment IDs, and UUIDs are predictable or not random enough for secrets. Always use a CSPRNG such as crypto.getRandomValues, crypto.randomBytes, or secrets.token_bytes.

Glossary

API key: A string that identifies and authenticates an app or user when it calls an interface, granting whatever access that key is allowed.
Token: A generated credential, often used like an API key or bearer token, that proves identity or grants access without sending a password each time.
Entropy: A measure of unpredictability, in bits. More bits mean exponentially more possible values and a harder key to guess.
Base64url: A 64-symbol encoding (letters, digits, hyphen, underscore) that is safe to place in URLs and file names without escaping, unlike standard base64 which uses plus and slash.
Prefix: A short readable label placed in front of the random part of a key to identify its type or owner. It adds no security but helps secret scanners spot leaks.
CSPRNG: A cryptographically secure pseudo-random number generator, the kind of randomness suitable for secrets. The browser exposes it as crypto.getRandomValues.
Hashing: Running a key through a one-way function such as SHA-256 so you can store and verify it without keeping the raw secret. A leaked hash cannot be reversed into the key.
Key rotation: Replacing an active key with a fresh one on a schedule, such as every 90 days, so that an undetected leak has a limited useful lifetime.

Frequently asked questions

How are these API keys generated?

Each character is drawn from your browser built-in cryptographic randomness using crypto.getRandomValues, the Web Crypto API source meant for secrets. The tool maps those random bytes onto the chosen alphabet without modulo bias, so every character is equally likely.

Are the keys sent to a server?

No. The entire generator runs as client-side JavaScript in your browser. No key, prefix, or setting is transmitted, logged, or stored anywhere. You can even disconnect from the network and it still works.

Which format should I choose?

Base64url packs the most entropy per character and is safe in URLs and file names, so it is a good default. Hexadecimal is handy when a system expects only 0-9 and a-f. Alphanumeric avoids the hyphen and underscore if a service rejects those symbols.

How long should an API key be?

For a secret key, aim for at least 128 bits of entropy. That is roughly 32 hexadecimal characters, 22 base64url characters, or 22 alphanumeric characters. A 256-bit key (about 43 base64url characters) is a comfortable default and costs nothing extra.

What is the prefix for?

A prefix is a readable label such as sk_live_ or tn_ that helps you tell key types apart, route them, and let secret scanners flag leaks. It adds no randomness, so the security still depends entirely on the length of the random body.

Can I generate many keys at once?

Yes. Set the count and press Generate keys to get a list. Copy any single key with its own button, or use Copy all to put the whole list on your clipboard, one key per line, which is handy for seeding a database or issuing keys to many clients.

How should I store an API key on the server?

Do not store the raw key. Hash it with SHA-256, save only the hash plus a short non-secret prefix for lookup, and show the raw value to the owner exactly once at creation. On each request, hash the incoming key and compare. A leaked database of hashes cannot be turned back into working keys.

How often should I rotate API keys?

A common practice is every 90 days for sensitive systems, and immediately whenever you suspect a leak. Generate a fresh key, deploy it alongside the old one, switch traffic over, then revoke the old key. Per-service keys make rotation painless because you only touch one integration at a time.

Is a UUID good enough for an API key?

No. A version 4 UUID carries about 122 bits of randomness but its fixed format and hyphens make it easy to recognize, and some UUID generators are not cryptographically secure. Use a CSPRNG-backed random string of at least 128 bits instead, which is what this tool produces.

What is the difference between an API key and a bearer token?

An API key is usually a long-lived static secret you send with each request, often in a header or query string. A bearer token (such as a JWT or an OAuth access token) is typically short-lived and issued after authentication. This tool generates the high-entropy random string used as either one.