{{ summary.heading }}
{{ summary.primary }}
{{ summary.line }}
{{ badge.label }}
Use a short product or service code such as st, billing, or api; leave blank only for unprefixed secrets.
Choose the deployment lane that should appear in the key prefix.
Keep this short so the random secret remains the most visible part of the key.
Use public id plus secret for production API keys; secret-only produces a plain random token.
Base64URL is compact for APIs; hex is longest but easiest to inspect; Crockford Base32 avoids ambiguous characters.
Use 32 bytes for 256-bit API keys; lower only when a legacy field has a hard length limit.
bytes
Generate 1-50 keys for the current rollout, migration, or test fixture batch.
keys
Keep on when humans may paste or type keys; it is not a replacement for server-side verification.
{{ checksumActive ? 'Included' : 'Not included' }}
Use 6-8 bytes for compact database lookup ids without exposing the secret verifier.
bytes
Underscore is scanner-friendly; dot or hyphen may fit existing API key formats.
{{ header }} Copy
No rows in the current key batch.
{{ cell.value }} {{ cell.value }}
Tags: Devtools, Randomness, Security
JSON Validator Validate JSON, JSONC, JSON5, or JSON Lines in your browser, then catch syntax errors, duplicate keys, unsafe numbers, and root-shape issues.
Diceware Passphrase Generator Generate a Diceware passphrase from EFF long-list rolls, then check entropy, manual dice evidence, length limits, and site policy fit.
Secure Password Generator Generate account-ready passwords in your browser, tune character rules, and compare entropy, crack-time, zxcvbn strength, and history.
.env File Generator Generate reviewed .env and .env.example files from pasted rows or a small text file, with duplicate checks, quote guidance, and masked secret previews.
Customize
Advanced
:

API keys sit between passwords and operational identifiers. They are usually bearer credentials, so possession of a valid value is enough to make requests until the receiving service rejects, expires, or revokes it. A useful format therefore has to do two jobs at once: carry enough unpredictable secret material to resist guessing, and expose enough non-secret structure for humans and systems to identify the credential without asking for the full value again.

Public structure is helpful only when everyone treats it as public. A service prefix can identify the product, an environment segment can separate live and test credentials, and a public lookup ID can help the server find the verifier record quickly. None of those pieces should authorize a request by itself. The random secret segment is the part that carries guessing resistance.

Piece Normal purpose Security boundary
Prefix and environment Sort keys by service, tenant, rollout lane, or deployment stage. Useful in logs and tickets, but not secret entropy.
Public lookup ID Find the stored verifier record without scanning every active key. Safe to discuss as an identifier when the secret segment stays hidden.
Random secret Prove possession when the full presented key is checked. The only segment that should be counted as secret strength.
Check segment Catch common copy, paste, or typing mistakes. A paste guard, not a signature or server-side authorization rule.
API key anatomy Public labels and lookup identifiers help route a key, while the secret segment provides entropy and the stored hash supports verification. API key anatomy Prefix public label Environment public label Public ID lookup only Secret 128 to 512 bits Check paste guard Store verifier hash and metadata keep the full secret out of ordinary tables

Encoding changes how random bytes are printed, not how much entropy they carry. Base64URL is compact for headers and JSON, hexadecimal is easy to inspect, and Crockford Base32 avoids ambiguous characters, but a 32-byte secret still carries 256 bits before it is encoded. Shorter secrets may fit legacy fields, yet they leave less margin against guessing and accidental reuse.

  • Copy the full key only into the intended vault, deployment secret, or client handoff path.
  • Store verifier material and metadata on the server, not the full presented key in ordinary application tables.
  • Rotate keys that appear in chat, tickets, source control, screenshots, logs, or shared exports.
  • Pair every issued key with scope, rate limits, monitoring, and a revocation path.

API keys do not carry all the context a session or user account might have. The service receiving the key still has to verify the submitted full value, apply the current policy for that record, and reject old or overbroad credentials when the rollout changes.

How to Use This Tool:

Generate one rollout batch at a time so the key ledger, storage review, and JSON all describe the same credentials and handling policy.

  1. Enter a short Service prefix, then choose Environment. Use Custom only when the destination system needs a label that is not already listed.
  2. Choose Key shape. Prefix + public id + secret is the usual choice when your server can index by public ID before checking the submitted full key.
  3. Pick Secret encoding and Secret bytes. The summary should show the bit target you expect, such as 256 bit secrets for 32 bytes.
  4. Set Key count for the current issuance, migration, or fixture batch. Open Advanced only if you need a different Public id bytes value or separator character.
  5. Leave Check segment included unless the receiving format cannot accept it. The setting is not used for Secret only output because there are no public segments to guard.
  6. Select Regenerate keys. If generation is blocked, follow the status message before issuing any value. Common fixes are using a browser with cryptographic random generation, entering an alphanumeric custom environment, or keeping at least one public label for prefixed formats.
  7. Review API Key Ledger and Storage Review before copying or downloading. Confirm Secret entropy, Random source, Server storage, and Handling against your rollout policy.

Interpreting Results:

Secret entropy is the main security value in the ledger. It is calculated from the selected secret byte count, not from prefix, environment, public ID, separator, or check segment. The default settings produce 256 bits per secret, while the smallest allowed setting produces 128 bits.

  • API key is the value presented to the client or integration. Treat it as sensitive immediately.
  • Public id can support database lookup, audit notes, and support references, but it should not prove access.
  • Check helps catch copy and typing mistakes in prefixed formats. It does not replace server verification.
  • SHA-256 storage hash is a verifier value derived from the full presented key. Store it with the metadata your service needs for lookup, revocation, and audit.
  • Sensitive batch means the current output can leak live credentials through the clipboard, downloads, screenshots, browser history, or shared notes.

A high entropy number does not finish the security work. API keys still need narrow scope, rate limits, expiry or rotation, protected storage, monitoring, and a clear revocation path.

Technical Details:

API key strength comes from uniformly random bytes in the secret segment. Encoding only changes how those bytes are printed. A 32-byte secret carries 256 bits of entropy whether the characters are Base64URL, hexadecimal, or Crockford Base32. The display length changes because each alphabet carries a different number of bits per character.

Public labels improve operations without adding secret entropy. Prefixes, environment names, public lookup IDs, separators, and check values help humans and systems sort credentials, but the byte count of the random secret is what resists guessing. When comparing two key formats, compare the same secret byte count before considering visible length.

Formula Core:

The entropy calculation is direct byte math. The duplicate estimate below describes accidental duplicate secrets inside one generated batch. It is not the probability that an attacker guesses a valid key.

H = 8B P n(n-1) 22H

Here, B is Secret bytes, H is Secret entropy in bits, n is Key count, and P is the approximate duplicate-secret probability for that batch. With 32 secret bytes and 5 keys, H = 256 and the duplicate estimate is below 1e-30.

Transformation Core:

Segment Source Security meaning Result cue
Service prefix Letters and numbers from the prefix field after punctuation is removed. Operational label only. Appears first unless Secret only is selected.
Environment A listed environment, a custom alphanumeric label, or no environment segment. Routing, audit, and revocation context. Shown before the public ID or secret when enabled.
Public id Crockford Base32 generated from 4 to 12 public ID bytes. Lookup value, not secret entropy. The Public id column is populated only for the public ID plus secret shape.
Secret 16 to 64 cryptographically random bytes encoded as Base64URL, hexadecimal, or Crockford Base32. The only counted secret material. Secret length and Secret entropy describe this segment.
Check Four Crockford Base32 characters derived from the presented key body. Typo detection only. The Check column shows the value or off.
SHA-256 storage hash A SHA-256 digest of the full presented key. Verifier record for server-side comparison. The ledger shows one hash for each generated key.
Field or output Allowed or displayed range What to verify
Secret bytes 16 to 64 bytes, or 128 to 512 bits. Keep issued keys at least 128 bits; use 256 bits unless a destination limit forces a shorter value.
Key count 1 to 50 keys in the current batch. Generate only the number you can store, hand off, and revoke as one rollout.
Public id bytes 4 to 12 bytes when the public ID shape is active. Use the public ID for lookup and audit references, not as proof of possession.
Custom environment Must leave at least one letter or number after punctuation is stripped. If validation blocks generation, enter an alphanumeric label or choose another environment option.
Random source Requires browser cryptographic random generation. If the status reports an unavailable random source, switch to a modern trusted browser before issuing keys.

The three key shapes change which public segments are present. Prefix + public id + secret includes prefix, environment, public ID, secret, and optional check segment. Prefix + secret removes the public lookup ID while keeping public labels. Secret only removes prefix, environment, public ID, and check segment, leaving only the encoded secret.

Responsible Use Note:

Generate production keys only from a trusted device and browser session. The batch is prepared in the browser, but copied text, downloaded CSV, DOCX, JSON, screenshots, browser sync, and shared tickets can still expose live secrets. If your platform requires keyed hashing, a secret manager, or a different verifier format, follow that policy and use the generated hash as a reference rather than the only storage design.

Worked Examples:

For a production-style batch, use prefix st, environment Live, Prefix + public id + secret, Base64URL, 32 secret bytes, 5 keys, and an included check segment. Each ledger row follows the pattern st_live_, then a public ID, a 43-character secret, and a four-character check segment. Secret entropy shows 256 bits, and SHA-256 storage hash gives a verifier value for each full key.

A legacy system may accept only a plain token. Choose Secret only, Hexadecimal, 16 secret bytes, and 1 key. The API key becomes a 32-character hexadecimal secret, Public id shows -, Check shows off, and Secret entropy shows 128 bits. Keep the receiving service scoped, rate-limited, monitored, and ready for rotation.

If Environment is Custom and the custom value contains only punctuation, generation is blocked because the normalized environment is empty. Enter a value such as sandbox, choose a built-in environment, or choose None, then regenerate the batch.

FAQ:

Does the public ID need to stay secret?

No. The public ID is useful for lookup, audit notes, and support workflows. It should not authorize a request, and it is not counted in Secret entropy.

Which secret byte setting should I use?

32 bytes is the default and produces 256 bits of secret entropy. Use 16 bytes only when a destination field has a hard length limit, then compensate with tight scope, rate limits, monitoring, and clear rotation steps.

Why does the character length change when encoding changes?

Base64URL, hexadecimal, and Crockford Base32 print the same random bytes with different alphabets. The Secret length may change, but Secret entropy stays tied to Secret bytes.

What should be stored on the server?

Store the public metadata needed for lookup and audit, plus the SHA-256 storage hash or the verifier format required by your platform. Do not keep the full presented key in ordinary application tables.

Why is generation blocked?

The usual causes are a browser without cryptographic random generation, a custom environment that becomes empty after punctuation is stripped, or a prefixed shape with neither prefix nor environment. Fix the status message before issuing keys.

Glossary:

Bearer credential
A credential where possession of the value is usually enough to authenticate a request.
Secret entropy
The number of unpredictable bits in the random secret segment.
Public ID
A non-secret lookup segment that helps the server find the matching verifier record.
Check segment
A short non-secret value that helps catch copy, paste, or typing mistakes.
Verifier hash
A stored digest used to check a submitted full key without keeping the full key in ordinary tables.
Rotation
Replacing an issued key with a new value and retiring the old one in the receiving service.

References: