Question 1

How are the keys generated?

Accepted Answer

All keys are generated using the Web Crypto API's crypto.getRandomValues() — the same cryptographically secure random number generator used by SSL/TLS and password managers. Keys are never sent to any server.

Question 2

What format should I choose?

Accepted Answer

Hex (base16) is widely used and safe in all contexts. Base64URL is compact and URL-safe. Alphanumeric is human-readable and useful for display. UUID v4 follows a standard format used by many frameworks.

Question 3

How long should my API key be?

Accepted Answer

For most APIs, 32 bytes of entropy (64 hex chars or 43 Base64URL chars) provides sufficient security. 256-bit keys are standard for secret key cryptography. For display codes, 16 bytes is acceptable.

Question 4

Should I add a prefix to my API key?

Accepted Answer

Adding a prefix (e.g., 'sk_live_' for Stripe, 'gh_' for GitHub) helps identify the key type, prevents accidental use in wrong environments, and enables secret scanning tools to detect exposed keys in code repositories.

Question 5

How do I store API keys securely?

Accepted Answer

Never commit API keys to version control. Store them in environment variables or secret management systems (AWS Secrets Manager, HashiCorp Vault, Doppler). In your database, store only a hash of the key (SHA-256), not the plain key.

Question 6

How do I generate a secure API key?

Accepted Answer

Click Generate above to create a cryptographically secure random API key using the browser's Web Crypto API (crypto.getRandomValues). The key is generated locally — nothing is sent to any server. Choose 32 bytes (256-bit) for most APIs or 64 bytes (512-bit) for high-security requirements. Store API keys in environment variables, never in source code.

Question 7

What makes an API key secure?

Accepted Answer

A secure API key should be at least 256 bits (32 bytes) of cryptographically random data, encoded in Base64 or hex. It must never be committed to git or exposed in client-side code. Rotate keys regularly and revoke compromised ones immediately. For time-limited API access, consider using JWTs instead — create them with DevDecode's JWT Encoder.

API Key Generator — Free Secure Random API Key Generator

Frequently Asked Questions

Secure API Key Generation

Related Tools

UUID Generator

Password Generator

PKCE Generator

Bcrypt Generator