{{ summary.heading }}
{{ summary.primary }}
{{ summary.line }}
{{ badge.label }}
Use a short product or service code such as st, billing, or api; leave blank only for unprefixed secrets.
Choose the deployment lane that should appear in the key prefix.
Keep this short so the random secret remains the most visible part of the key.
Use public id plus secret for production API keys; secret-only produces a plain random token.
Base64URL is compact for APIs; hex is longest but easiest to inspect; Crockford Base32 avoids ambiguous characters.
Use 32 bytes for 256-bit API keys; lower only when a legacy field has a hard length limit.
bytes
Generate 1-50 keys for the current rollout, migration, or test fixture batch.
keys
Keep on when humans may paste or type keys; it is not a replacement for server-side verification.
{{ checksumActive ? 'Included' : 'Not included' }}
Use 6-8 bytes for compact database lookup ids without exposing the secret verifier.
bytes
Underscore is scanner-friendly; dot or hyphen may fit existing API key formats.
{{ header }} Copy
No rows in the current key batch.
{{ cell.value }} {{ cell.value }}
Tags: Devtools, Randomness, Security
Export to PDF Fullscreen
Customize
Advanced
:

API keys are bearer credentials. Anyone who holds a valid key can usually call the service it belongs to until the key is revoked, expires, or fails a server check. Good key generation therefore has two jobs: create enough unpredictable secret material, then keep enough readable structure around it so teams can identify, store, and rotate the key without exposing the secret again.

A useful API key format separates public routing information from the private secret. A short prefix can identify the product, an environment segment can separate live and test credentials, and a public lookup ID can help the server find the right verifier record. None of those segments should be counted as the secret. The random secret segment is the part that must resist guessing.

API key anatomy showing prefix, environment, public ID, secret, check segment, and storage hash.

Readable structure is helpful only when it does not weaken the secret. A public ID can appear in logs and database indexes, but it is not proof of access. A check segment can catch a paste or typing mistake, but it is not a signature. The server still needs to compare the submitted full key with a stored verifier and enforce scope, rate limits, revocation, and audit rules.

The safest habit is to treat a newly generated key as sensitive from the moment it appears. Copy it into the intended vault or deployment system, store only the verifier hash and supporting metadata in application tables, and rotate any key that lands in chat, tickets, logs, screenshots, or shared exports.

Technical Details:

API key strength comes from uniformly random secret bytes. Encoding changes how those bytes are displayed, not how many random bits they contain. A 32-byte secret has 256 bits of secret entropy whether it is shown as Base64URL, hexadecimal, or Crockford Base32. The visible length changes because each encoding packs bits into characters differently.

The public pieces should be read as routing and operations hints. Prefix, environment, public lookup ID, separator, and check segment help people and systems sort keys, but the secret byte count is the security control that resists guessing. For fair comparisons between batches, keep the secret byte count fixed and compare the same key shape and encoding.

Formula Core:

The entropy and batch collision estimate follow simple random-byte math. The collision estimate describes accidental duplicate secrets within the requested batch, not the chance that an attacker guesses a key.

H = 8B P n(n-1)22H

Here, B is the selected secret byte count, H is the displayed Secret entropy in bits, n is the requested Key count, and P is the approximate duplicate-secret probability for that one batch. With the default 32 secret bytes and 5 keys, the displayed entropy is 256 bits and the collision estimate is below 1e-30.

Transformation Core:

Segment Source Security meaning Result cue
Service prefix Letters and numbers from the prefix field, trimmed before use. Operational label only. Appears at the front unless Secret only is selected.
Environment Built-in value, custom letters and numbers, or no environment segment. Routing and revocation context. Shown before the public ID or secret when enabled.
Public id Crockford Base32 from 4 to 12 random public ID bytes. Lookup value, not secret entropy. The Public id column is populated only for the public ID plus secret shape.
Secret 16 to 64 Web Crypto random bytes encoded as Base64URL, hex, or Crockford Base32. The only counted secret material. Secret length and Secret entropy describe this segment.
Check Four Crockford Base32 characters derived from the presented key body. Typo detection only. The Check column shows the value or off.
SHA-256 storage hash A SHA-256 digest of the full presented key. Verifier record for server storage. The ledger shows one hash per generated key.

The three key shapes change which public segments appear. Prefix + public id + secret includes prefix, environment, public ID, secret, and optional check segment. Prefix + secret removes the public lookup ID but keeps the public labels. Secret only removes prefix, environment, public ID, and check segment, leaving only the encoded secret.

Control or output Allowed or displayed range What to verify
Secret bytes 16 to 64 bytes, or 128 to 512 bits. Keep at least 128 bits for issued keys; 256 bits is the default.
Key count 1 to 50 keys in the current batch. Generate only the batch you can store and hand off safely.
Public id bytes 4 to 12 bytes when the public ID shape is active. Use it for lookup and audit references, not as proof of possession.
Custom environment Must leave at least one letter or number after punctuation is stripped. If validation blocks generation, enter a real alphanumeric environment or choose None.
Random source Requires browser Web Crypto random generation. If the status says the browser is blocked, use a modern trusted browser before issuing keys.
Handling Changes to Sensitive batch once keys exist. Treat copied rows, downloaded tables, JSON, and screenshots as live secret material.

Everyday Use & Decision Guide:

Start with Prefix + public id + secret, Base64URL, 32 secret bytes, and a short Service prefix. That produces compact keys with 256 bits of secret entropy and a public lookup ID that can be indexed separately from the secret verifier.

Use the Environment field to prevent live, staging, test, and development keys from looking interchangeable. If the environment is sensitive or already implied by the target system, choose None. If you choose Custom, use a short alphanumeric value because punctuation is stripped before the key is assembled.

  • Choose Base64URL for compact API credentials that fit URLs, headers, and CLI variables cleanly.
  • Choose Hexadecimal when a system expects lowercase hex or when manual inspection matters more than length.
  • Choose Crockford Base32 when humans may read or type the secret and ambiguous letters should be avoided.
  • Keep Check segment on for prefixed keys that may be copied through tickets, terminals, or deployment notes.
  • Use Secret only only when another system already provides naming, environment, and lookup metadata.

Read API Key Ledger first. It contains the final API key, Public id, Secret length, Secret entropy, Check, and SHA-256 storage hash. Then open Storage Review to confirm the random source, entropy, lookup ID choice, hash status, and handling warning before the batch leaves the browser session.

A key with high entropy is still unsafe if it is pasted into logs, committed to a repository, or stored as plain text in an application table. The practical handoff is to store the full key once in a vault or deployment secret store, keep the hash and public metadata on the server, and rotate anything that was exposed during setup.

Step-by-Step Guide:

Generate one rollout batch at a time so the ledger, storage review, and JSON describe the same set of credentials.

  1. Set Service prefix to a short product or service code such as st, then choose Environment or enter a valid Custom environment.
  2. Choose Key shape. Use Prefix + public id + secret when your server can index by public ID, or Secret only when the destination system supplies all metadata elsewhere.
  3. Choose Secret encoding and Secret bytes. The summary should show the expected bit target, such as 256 bit secrets for 32 bytes.
  4. Set Key count for the current rollout, then open Advanced only if you need a different Public id bytes value or Segment separator.
  5. Leave Check segment included unless the destination format cannot accept it. The switch is ignored for Secret only output because there are no public segments to guard.
  6. Select Regenerate keys. If the status says Web Crypto random generation is unavailable, move to a modern trusted browser. If a custom environment error appears, enter at least one letter or number or choose another environment option.
  7. Review API Key Ledger and Storage Review. Confirm that Secret entropy, Random source, Server storage, and Handling match your rollout policy.
  8. Copy the final keys only after the storage plan is clear. Store the full secret in the intended secret system, keep the SHA-256 storage hash for verifier storage, and rotate any key that was exposed outside the handoff path.

Interpreting Results:

The most important output is Secret entropy. It is calculated from Secret bytes and does not include prefix, environment, public ID, separator, or check segment. A default batch shows 256 bits per secret, while the smallest allowed setting shows 128 bits.

  • API key is the value presented to the client. Treat it as sensitive as soon as it is generated.
  • Public id can help find a verifier record, but it should not grant access by itself.
  • Check catches common copy mistakes in prefixed formats. It does not replace server verification.
  • SHA-256 storage hash is a verifier value for storage. It should not be used as a display copy of the secret.
  • Sensitive batch in Storage Review means the current output can expose live credentials through copy buffers, downloads, screenshots, and shared notes.

Do not read a strong entropy number as a complete security review. The key still needs restricted scope, rate limits, rotation, careful storage, and removal from accidental disclosure paths. Before issuing the batch, use Storage Review to check the random source, storage hash, and handling row, then verify the receiving service will hash, compare, revoke, and audit the key correctly.

Worked Examples:

Default production-style batch

With Service prefix set to st, Environment set to Live, Key shape set to Prefix + public id + secret, Base64URL encoding, 32 secret bytes, 5 keys, and Check segment included, each ledger row follows the pattern st_live_ plus a public ID, a 43-character secret, and a 4-character check segment. Secret entropy shows 256 bits, and SHA-256 storage hash gives a verifier hash for each full key.

Secret-only hex for a constrained field

A legacy system may accept only a plain token. Choose Secret only, Hexadecimal, 16 secret bytes, and 1 key. The API key becomes a 32-character hex secret, Public id shows -, Check shows off, and Secret entropy shows 128 bits. That is the lowest entropy this generator will issue, so avoid lowering scope or rate-limit controls elsewhere to compensate for a short destination field.

Custom environment blocked by cleanup

If Environment is Custom and the custom value contains only punctuation, the normalized environment becomes empty and generation is blocked. The status asks for at least one letter or number. Enter a value such as sandbox, choose a built-in environment, or choose None before regenerating. Once the error clears, the summary returns to the bit target and key shape instead of the blocked state.

Responsible Use Note:

Generate production keys only from a trusted device and browser session. The key batch is built in the browser and the storage hashes are prepared there, but copied text, downloaded files, JSON, screenshots, browser history, and shared tickets can still leak secrets. Rotate any generated key that leaves the intended handoff path.

FAQ:

Does the public ID need to stay secret?

No. The public ID is meant for lookup, audit references, and support workflows. It should not authorize a request by itself, and it is not counted in Secret entropy.

Which secret byte setting should I use?

32 bytes is the default and produces 256 bits of secret entropy. Use 16 bytes only when a destination field has a hard length limit, and keep the receiving service scoped, hashed, rate-limited, and easy to rotate.

Why does changing encoding alter the character length?

Base64URL, hexadecimal, and Crockford Base32 display the same random bytes with different alphabets. The Secret length may change, but Secret entropy stays tied to Secret bytes.

What should I store on the server?

Store the public metadata you need for lookup and audit, plus the SHA-256 storage hash or your platform's chosen verifier record. Do not store the full presented key in ordinary application tables.

Why is generation blocked?

The usual causes are a browser without Web Crypto random generation, a custom environment that becomes empty after punctuation is stripped, or a prefixed key shape with neither prefix nor environment. Fix the status message before treating any output as issued.

Glossary:

Bearer credential
A credential where possession of the value is usually enough to authenticate a request.
Secret entropy
The number of unpredictable bits in the random secret segment, calculated from the selected secret byte count.
Public ID
A non-secret lookup segment that helps the server find the right verifier record.
Check segment
A short non-secret value that helps catch copy or typing mistakes in prefixed keys.
Verifier hash
A stored digest used to check a submitted full key without keeping the full key in ordinary tables.
Rotation
Replacing an issued key with a new value and retiring the old one in the receiving service.

References: