Numbers
API Token Pair Generator
An API token pair generator creates matching public and secret key pairs that mirror the authentication patterns used by production services like Stripe, Twilio, and SendGrid. Each pair has a public key that identifies the client and a secret key that signs or authenticates requests — structure developers need constantly but rarely have good dummy data for. Set your own prefix (pk, api, pub, or pk_test_ to match Stripe's format exactly), choose token length, and generate up to dozens of pairs at once. At the default 32 characters, each token carries roughly 190 bits of alphanumeric entropy — enough to pass most validation regex in a real codebase without modification.
How to use
- Choose your options above
- Click Generate
- Copy your result
Detailed instructions
- Set the prefix field to match your system's naming convention, such as pk, api, or pk_test_.
- Adjust the token length to match your system's validation requirements — 32 is a safe default.
- Set the count to how many pairs you need, then click Generate to produce all pairs at once.
- Copy individual pairs or the full list and paste them into your config file, seed script, or documentation.
Use Cases
- •Populating a Postman environment with realistic pk/sk credential pairs before real keys are provisioned
- •Seeding a multi-tenant Postgres fixture with per-account token pairs for local integration tests
- •Building an API key management UI in Figma or Storybook with plausible-looking credentials in every field
- •Writing SDK documentation or README examples that show structurally correct public and secret key formats
- •Testing prefix and length validation regex in a Jest or Cypress suite without touching production secrets
Tips
- →Use pk_live_ and pk_test_ prefixes to generate separate fixture sets for production-mirror and test environments.
- →Set length to exactly match your regex validator so generated keys pass format checks without editing.
- →Generate 10+ pairs at once when seeding a multi-tenant database — each pair is independent and ready to assign.
- →Pair this with a .env template: generate keys here, paste them in, and commit the template without values.
- →Avoid length values below 24 characters — short keys look unrealistic and may fail minimum-entropy checks in auth libraries.
- →For SDK documentation, use a consistent prefix like pk_example_ to make it obvious these are not real credentials.
FAQ
what's the difference between a public key and a secret key in an API token pair
The public key identifies who is making a request and is safe to log or include in client-side code. The secret key authenticates the request and must stay server-side only — exposing it is equivalent to handing over full account access. Services like Stripe use distinct prefixes (pk_ vs sk_) so developers can tell the two apart at a glance, which is exactly what this generator replicates.
are these generated tokens safe to use in a production API
No. The generator uses a non-cryptographic random source, so tokens are suitable only for development, testing, documentation, and demos. For production, generate keys with a CSPRNG: Node.js crypto.randomBytes(), Python's secrets module, or an equivalent platform primitive. Never commit real secret keys to source control — use environment variables or a secrets manager like AWS Secrets Manager or Doppler.
what token length should I use for realistic mock api keys
The default 32 characters is a solid choice — alphanumeric tokens at that length carry roughly 190 bits of entropy, which exceeds NIST recommendations and passes most key-length validators unchanged. Use 48 or 64 characters if your codebase has stricter length checks, or if you want mock data that survives a real validation pipeline without any tweaking.
How should I store an API secret key?
Keep secret keys out of source code and client-side bundles — store them in environment variables or a dedicated secrets manager, restrict who can read them, and rotate them if exposed. The public key can be shared; the secret must not. The generator produces matched mock pairs for development and documentation; for real keys, generate them securely server-side and protect the secret half accordingly.
What does an API key authenticate?
An API key identifies and authenticates the application or account making a request, so the server knows who is calling and can apply permissions and rate limits — it authenticates the caller, not an individual end user (that is what user auth tokens are for). The generator creates realistic public/secret mock pairs so you can build and test that flow without provisioning real credentials.
You might also like
Popular tools from other categories that share themes with this one.
Try these next
More free tools from other corners of the catalog, picked by shared themes.