Free API Key Generator

Why your random key generator matters

Most online API key generators send your key to a server, log the result, or rely on JavaScript randomness that is not cryptographically secure. The first two leak the key before you ever paste it into your code; the third produces values an attacker can reproduce. A webhook secret generated by Math.random is functionally a public string, because the algorithm is deterministic and seedable. The same is true of Date.now mixed with Math.random, which is the most common pattern in "quick and dirty" key generation.

This tool uses crypto.getRandomValues, which reads from the operating system's cryptographically secure random source (CSPRNG). That is the same source the browser uses to generate TLS session keys, the same source Node.js uses for crypto.randomBytes, and the same source Stripe, GitHub, and OpenAI use to issue their own API keys. The output cannot be reproduced without compromising the underlying entropy pool, which is the whole point.

How does the generator work?

1. 1. Pick the entropy budget. Choose how many bytes of randomness the key should contain. Thirty-two bytes (256 bits) matches the strength of an AES-256 key and is the production default for webhook secrets and signing keys. Sixteen bytes (128 bits) is the floor.
2. 2. Pick the encoding. Hex doubles the byte count into a readable string. Base64 is roughly 4/3 the byte count. Base64URL is the URL-safe variant (no +, /, or =). Alphanumeric is for systems that reject special characters.
3. 3. Add a prefix (recommended). A prefix like whsec_ or api_v1_ makes the key trivially scannable in logs, source code, and secret-scanning tools. GitHub's secret scanning detects leaked tokens by their prefix patterns.
4. 4. Generate. The browser calls crypto.getRandomValues, encodes the bytes in your chosen format, prepends the prefix, and renders the result. Nothing is logged. Nothing is sent. Closing the tab destroys the only copy.

Recommended lengths by use case

Frequently Asked Questions

What does the API key generator do?

The API Key Generator creates cryptographically secure random keys using your browser's Web Crypto API. Pick a byte length (16 to 64), a format (hex, Base64, Base64URL, or alphanumeric), an optional prefix like whsec_ or sk_live_, and how many keys you need. Each key is generated locally with crypto.getRandomValues. Nothing is sent to a server, nothing is logged, and the values exist only in your browser tab.

Why not just use Math.random for an API key?

Math.random is a pseudo-random number generator designed for non-security uses like animations and shuffling. Its output is predictable: an attacker who knows or can guess the seed can reproduce the entire sequence. crypto.getRandomValues uses the operating system's cryptographically secure random source (CSPRNG), the same one used for TLS keys and session tokens. Use crypto.getRandomValues for any value that protects something, even if you "just" need a quick test secret.

How long should an API key or webhook secret be?

For production secrets, 32 bytes (256 bits of entropy) is the standard. That matches Stripe webhook secrets, GitHub personal access tokens, and most JWT signing keys. Sixteen bytes (128 bits) is the absolute minimum for anything that protects production data. Below 80 bits of entropy, brute force becomes feasible. The entropy meter on this tool flags any setting that drops below the safe threshold for your chosen format.

Why use a prefix like whsec_ or sk_live_ on a key?

Prefixed keys are dramatically easier to spot in logs, server output, code reviews, and accidentally committed source files. GitHub's secret scanning, Trufflehog, and Gitleaks all use prefix patterns to detect leaked secrets. Stripe, OpenAI, GitHub, and Slack all prefix their keys for this reason. If you generate internal keys with a recognizable prefix like api_v1_, you can scan your repos and logs for that prefix at any time and know exactly what to rotate.

Are the generated keys sent anywhere?

No. The generator runs entirely in your browser using crypto.getRandomValues, which reads from your operating system's secure random source. There is no API route, no analytics on the inputs or outputs, no logging, and no telemetry. You can disconnect from the internet, generate keys, and reconnect; the tool will work the same. The same security model used by the Stripe Webhook Verifier on this site.

Which format should I pick: hex, Base64, or alphanumeric?

Use hex when you want the longest readable form and easy comparison (32 bytes becomes 64 hex characters). Use Base64URL for tokens you put in URLs or HTTP headers (URL-safe, no = padding). Use Base64 for general-purpose secrets stored in environment variables. Use alphanumeric when the receiving system rejects special characters (some legacy databases or CLI tools). All four formats produce the same number of bits of entropy for the same byte length, except alphanumeric, which produces slightly less due to encoding overhead.