How are API keys generated securely?
Using crypto.getRandomValues() — the browser's cryptographically secure random number generator — not Math.random().
Generate secure random API keys for development and testing.
The API Key Generator is an essential tool for developers creating APIs and web services. It generates random API keys in multiple formats (hex, base64, alphanumeric, UUID-like) with customizable length, prefixes, suffixes, and separators. Perfect for creating authentication keys, access tokens, and API credentials that match your specific requirements.
An API key is a randomly generated string used to authenticate requests to an API. Secure API keys use cryptographically random generation (not Math.random), are typically 32–64 characters, and are formatted in hex, base64, or alphanumeric encoding.
An API key is a shared secret passed by a client in HTTP requests to identify and authorize the caller. Unlike passwords, API keys are designed to be long, random, and machine-generated — not human-memorable.
**What makes an API key secure:**
• **Cryptographic randomness**: Generated using a cryptographically secure pseudo-random number generator (CSPRNG), not Math.random() (which is statistically random but not cryptographically secure)
• **Sufficient entropy**: At least 128 bits of entropy (32 hex characters = 128 bits, 43 base64 characters ≈ 258 bits, 22 UUID characters = 128 bits)
• **No predictable patterns**: No timestamps, sequential IDs, or hash of predictable inputs
**Common API key formats:**
• **Hex**: e.g., `a3f82c1d4e7b0953...` — uses characters 0–9 and a–f
• **Base64**: e.g., `K3fWx9+Abc...` — more compact, uses A–Z, a–z, 0–9, +, /
• **Alphanumeric**: e.g., `Kx3fW9AbcR...` — URL-safe, uses A–Z, a–z, 0–9 only
• **UUID v4**: e.g., `550e8400-e29b-41d4-a716-446655440000` — fixed 36-character hyphenated format
This generator uses the browser's Web Crypto API (crypto.getRandomValues) — the same source used by OS-level secure random number generators.
Concise answers for common searches — definitions, steps, and comparisons.
Using crypto.getRandomValues() — the browser's cryptographically secure random number generator — not Math.random().
Yes — keys are generated in your browser. Nothing is uploaded. Open Network tab to verify.
Select Hex (0–9, a–f), Base64, or Alphanumeric (A–Z, a–z, 0–9). Alphanumeric is URL-safe and most broadly compatible. Hex is standard for API authentication tokens. Base64 is compact.
32 characters for hex (128-bit entropy) is the minimum recommended. For higher-security applications, use 64 hex characters (256-bit). Most major APIs use 32–64 character keys.
The key is generated immediately using crypto.getRandomValues. Each click produces a new, independent key.
Copy the key immediately. Store it in an environment variable, secrets manager (AWS Secrets Manager, HashiCorp Vault, .env file excluded from git), or password manager. Do not store raw API keys in code.
Input
Format: Hex · Length: 32 charactersOutput
a3f82c1d4e7b09534c0e11f2b8d63a90128 bits of entropy. Standard for most API authentication use cases.
Input
Format: Alphanumeric · Length: 32 charactersOutput
sk_live_Kx3fW9AbcRq7mZnP2vLdTj8YStripe, GitHub, Twilio, and similar services use alphanumeric keys with type prefixes (sk_live_, ghp_, etc.) for easy identification.
Common real-world scenarios where this tool saves time.
Generate unique API keys for dev/staging environments. Using a different key per environment makes revocation simple — rotate the dev key without affecting production.
Generate random secrets for validating webhook payloads (HMAC-SHA256 signatures). Services like Stripe, GitHub, and Shopify use shared secrets to sign webhook bodies.
Generate auth tokens for microservices communicating over an internal network. Each service gets a unique key, limiting the blast radius of any single compromised token.
Generate cryptographically random tokens for one-time-use links. A 32-byte random hex token is effectively unguessable — far more secure than sequential IDs.
Choosing the right encoding for your use case.
| Format | Characters used | 128-bit length | URL-safe | Best for |
|---|---|---|---|---|
| Hex | 0–9, a–f | 32 chars | Yes | Database tokens, hashes, general purpose |
| Base64 (URL-safe) | A–Z, a–z, 0–9, -, _ | 22 chars | Yes | Compact tokens, JWTs |
| Alphanumeric | A–Z, a–z, 0–9 | 22+ chars | Yes | Developer-facing API keys (Stripe-style) |
| UUID v4 | hex + hyphens | 36 chars | Yes | Resource IDs, database primary keys |
Advertisement
Math.random() produces statistically random-looking numbers, but the underlying pseudo-random generator is deterministic and seeded predictably — not suitable for security. crypto.getRandomValues() uses the operating system's entropy source (hardware events, timing jitter) and is cryptographically secure — unpredictable even if an attacker knows the algorithm.
At minimum, 128 bits of entropy — equivalent to 32 hex characters, 22 base64 characters, or a UUID v4. For high-security applications, 256 bits (64 hex characters) is recommended. Longer is safer — the key space grows exponentially with length, making brute-force attacks computationally infeasible.
All are secure if generated from a CSPRNG. Choose based on compatibility: Hex (0–9, a–f) is universally safe in URLs and headers. Base64 is compact but requires URL-safe variant (replaces + with - and / with _) for headers and query strings. Alphanumeric (A–Z, a–z, 0–9) is URL-safe and human-readable, making it popular for developer-facing API keys (similar to GitHub, Stripe, Twilio key formats).
Never in source code. Use environment variables (process.env.API_KEY), a .env file excluded from version control (.gitignore), a cloud secrets manager (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault), or a self-hosted vault (HashiCorp Vault). Keys in code — even in private repos — are frequently leaked via history, forks, and log files.
Not practically, if generated correctly. A 128-bit key has 2^128 possible values (~340 undecillion). At 1 billion guesses/second, brute-forcing would take 10^22 years — far longer than the age of the universe. The real risk is key leakage (committed to git, logged in plaintext, sent over HTTP), not guessing.
Generate a new key, update all services consuming the old key to use the new one, test the new key is working, then revoke the old key. For zero-downtime rotation in production: (1) generate new key, (2) add it alongside old key, (3) update clients, (4) revoke old key once all clients updated.
UUID v4 is a 128-bit random identifier formatted as `xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx`. It uses 122 random bits (not 128 — 6 bits encode version/variant). UUID v4 from crypto.getRandomValues is a valid API key format, but note that the format leaks that it is a UUID — some security guidelines recommend opaque random strings with no identifiable structure.
No — generation uses the Web Crypto API running entirely in your browser. No keys are transmitted to EverydayTools servers. You can verify this by opening your browser's Network tab during generation and confirming no outbound requests are made.
Generated API keys and tokens are created locally in your browser using Web Crypto—they are not sent to EverydayTools servers.
For production systems, rotate API keys regularly and store in a dedicated secrets manager — not in code or .env files committed to version control.
Part of Developer Tools
More free tools for the same workflow.
Advertisement
Reviewed on 2026-06-08.