Skip to main content
Back to Numbers generators

Numbers

API Key Generator

This free API key generator produces random API keys online in four real-world formats — without writing a script or spinning up a server: 64-character hex strings, 32-character alphanumeric tokens, Stripe-style prefixed keys like `sk_live_...`, and segmented keys for human-readable distribution. Everything runs in the browser — nothing is logged or sent anywhere. Format matters more than most developers realize. Hex keys map cleanly onto the 256-bit shape used for HMAC signing. Alphanumeric keys are easier to read and copy. Prefixed keys encode scope and environment directly in the token, which cuts the cost of production mistakes. Set a custom prefix — `myapp_prod_` or `api_v2_` — and generate several keys at once for seeding fixtures, writing documentation, or filling config file placeholders.

Read the complete guide — 4 min read

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Select a key format from the dropdown: Hex (64 chars), Alphanumeric, Prefixed, or Segmented.
  2. If you chose Prefixed format, type your custom prefix (e.g., `myapp_prod_`) into the prefix field.
  3. Set the count field to how many keys you need — use 1 for a single token or higher to batch-generate.
  4. Click Generate to produce the keys, then copy individual keys or the full list for use in your project.

Use Cases

  • Seeding a Postgres staging database with realistic API key fixtures for 50 test users
  • Generating Stripe-style sk_live_ and sk_test_ tokens to document a SaaS billing integration
  • Creating 256-bit hex webhook secrets for HMAC-SHA256 signature validation in Express
  • Populating .env files and GitHub Actions secrets during local and CI/CD environment setup
  • Producing segmented keys in xxxx-xxxx format for license key documentation or Storybook examples

Tips

  • For webhook secrets specifically, use the Hex format — most HMAC validation libraries expect raw hex strings.
  • Prefix naming convention: use `_test_` vs `_live_` suffixes so engineers immediately know the key's environment without checking docs.
  • Generate a batch of 10 keys at once when seeding a test database — it's faster than running the tool repeatedly.
  • Alphanumeric keys are safer to include in URLs or QR codes since they avoid hex-only ambiguity with look-alike characters.
  • When writing API documentation, use segmented-format keys as examples — the visual breaks make them easier to scan and clearly fictional.
  • Rotate generated keys by regenerating the same format and prefix; consistent formatting makes regex-based key detection in logs reliable.

FAQ

What is an API key?

An API key is a token a client sends with each request so the server knows who is calling and what they're allowed to do. Unlike a user password, it identifies an application or integration, travels in a header or query parameter, and is designed to be issued, rotated, and revoked independently per client. Formats vary — hex, alphanumeric, prefixed, segmented — but the substance is the same: a long random string that's infeasible to guess.

Are these generated API keys safe for production?

Use them for development, testing, documentation, and mock data — not as production secrets. This tool generates keys client-side with the browser's standard Math.random, which is not a cryptographically secure source. For production, generate keys server-side from a CSPRNG (crypto.randomBytes in Node, secrets.token_hex in Python) or let your API gateway issue them, and store only a hash.

What format should an API key use?

Pick the format your consumers will handle most: hex for keys that feed HMAC or signature schemes, alphanumeric when humans copy them around, prefixed (like sk_live_ / sk_test_) when you want the environment readable at a glance, and segmented when keys are read aloud or typed. The prefixed style has become the de facto standard for SaaS APIs because a leaked key's blast radius is obvious from its first characters.

How long should an API key be?

Long enough that brute force is irrelevant: 32 random alphanumeric characters (~190 bits) or 64 hex characters (256 bits) are both far beyond guessable, and those are the two sizes this generator outputs. Going longer adds no practical security; going much shorter starts to matter if keys are rate-limited poorly. Length is also a UX choice — segmented formats trade a few bits for readability.

Why does the sk_live prefix pattern exist?

Stripe popularized encoding environment and scope into the key itself: sk_live_ for secret production keys, sk_test_ for test mode, pk_ for publishable ones. The prefix means humans and scanners can spot a dangerous credential instantly — secret-scanning tools flag sk_live_ tokens in commits within seconds. If you run your own API, adopting the same pattern (yourapp_prod_, yourapp_test_) is cheap and prevents real incidents.

You might also like

Popular tools from other categories that share themes with this one.

Try these next

More free tools from other corners of the catalog, picked by shared themes.