API Key Generator

How to use

1. 1Pick a format on the left: Hex, Base64, Base64URL, alphanumeric, lowercase, uppercase, numeric, or Custom alphabet.
2. 2Set the length. Bytes for hex, Base64, and Base64URL (so 32 bytes always means 256 bits); characters for alphabet-driven formats.
3. 3Optional: add a prefix like sk_live_, pk_test_, or hook_, and turn on a grouping separator with a group size for license-style readability.
4. 4Or click a framework preset to load the format, length, and prefix that Django, Flask, Rails, Express, NextAuth, or your JWT library expects.
5. 5Choose how many keys to generate (1 to 25) and click Generate. Use Copy on any row or Copy all to grab the whole batch.
6. 6Watch the entropy badge for the bit strength. Aim for 128 bits or more for long-lived API keys and session secrets.

About this tool

API Key Generator creates the random secrets that every project needs at bootstrap: API keys, session secrets, JWT signing secrets, webhook secrets, CSRF tokens, cookie secrets, and any other value that must be impossible to guess. Randomness comes from crypto.getRandomValues, the browser standard cryptographic source backed by the operating system entropy pool, the same source used by password managers and the Web Crypto API. Eight output formats cover the encodings that real configs expect: hex (2 chars per byte, the format used by Flask and Rails), Base64 (the openssl rand -base64 default that NextAuth, Auth.js, and many Express setups document), URL-safe Base64URL (no plus or slash, safe in URLs and cookies), alphanumeric, lowercase, uppercase, numeric, and custom (type your own alphabet). Length is measured in bytes for byte-encoded formats so a 32-byte hex secret is exactly 256 bits regardless of whether the encoded output is 64 hex characters or 44 Base64 characters. Framework presets fill in the right values for the most common cases: Django SECRET_KEY (50 chars from Django's URL-safe alphabet), Flask SECRET_KEY (24 bytes hex), Rails secret_key_base (64 bytes hex), Express session secret (32 bytes Base64), NextAuth / Auth.js NEXTAUTH_SECRET (32 bytes Base64), JWT HS256, HS384, and HS512 signing secrets (32, 48, and 64 bytes respectively to meet the RFC 7518 minimums), webhook secret, Stripe-style sk_test_ key, CSRF token, cookie secret, and Kubernetes secret. Optional prefix lets you stamp sk_live_, pk_, hook_, or any namespace your service uses on the front of the value. Optional grouping inserts dashes, underscores, dots, or spaces every N characters so the key reads more like a license code. Batch generation produces up to 25 keys at once for seeding staging environments or onboarding team members. An entropy readout shows the bit strength in real time using the standard length-times-log2-alphabet formula, with a strength bar that lines up with the 64, 128, and 256 bit checkpoints that security guidance commonly references. Modulo bias is eliminated by rejection sampling on a 32-bit buffer, so every character is drawn with strict uniform probability, which is the same approach reputable cryptographic libraries use under the hood. Everything runs locally in this browser tab. Keys, prefixes, alphabets, and counts never leave your device, never hit a server, and are never logged.

Free to use. Works in your browser. No signup, no login.