Instantly generate cryptographically secure API tokens with custom permissions, TTL, and resource-level access control.
Configure the API key parameters. Keys are generated using cryptographically secure random number generation.
The key and its associated metadata are generated entirely in your browser.
Conceptual calculation: The generator uses the Web Crypto API's crypto.getRandomValues() function to produce cryptographically secure random bytes. These bytes are then encoded into the selected format (Base64URL, Hex, UUID, or Alphanumeric). The key prefix is prepended, and the scopes are assembled into a JSON policy object.
Key assumptions: The browser's CSPRNG is assumed to be properly implemented according to the Web Crypto API specification. The generated key is assumed to be unique per generation. The hash is computed using SHA-256 as a one-way representation.
Limitations and edge cases: UUID v4 format produces keys with a fixed structure that includes fixed bits. Very long keys may exceed database column limits. The tool cannot verify whether a generated key conflicts with existing keys in your system.
Configure the key length, encoding format, and expiration. Select or add permission scopes to define what actions the key can authorize. Click "Generate API Key" to create a new cryptographically secure key.
Copy the plaintext key immediately and store it securely. Use the SHA-256 hash for database storage. The key ID (first 8 characters) can be stored for display purposes without exposing the full key.
The generator uses the browser's crypto.getRandomValues() CSPRNG to produce random bytes. These bytes are encoded into your selected format. The prefix is prepended for identification. The scopes are serialized into a JSON policy object alongside metadata like creation time and expiration.
The plaintext key is the credential to provide to API consumers. The SHA-256 hash is what you store server-side for verification. The scope policy defines the authorized actions. The expiration timestamp indicates when the key becomes invalid.
This tool generates keys for testing and development. For production systems, use dedicated secrets management services like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault. Implement key rotation, revocation, and monitoring according to your security policies.
API keys are a common method for authenticating requests to web services. Unlike session tokens, API keys typically identify a project or application rather than an individual user. Proper API key management is essential for maintaining security without sacrificing usability.
Unscoped API keys grant full access to an API. If such a key is leaked, an attacker gains complete control. Scoped keys limit what actions can be performed, reducing the impact of a potential compromise. For example, a key scoped to read:users cannot be used to delete user accounts or modify data.
Follow the principle of least privilege: grant only the permissions necessary for the key's intended purpose. A reporting service needs read access, not write access. A backup service needs write access to the backup endpoint but not administrative functions.
API key security depends on the difficulty of guessing or brute-forcing the key. The entropy of a key is measured in bits and represents the logarithm base 2 of the key space. A 32-character Base64URL key has approximately 192 bits of entropy (6 bits per character), making brute-force attacks computationally infeasible.
| Key Length | Encoding | Entropy (bits) | Collision Probability |
|---|---|---|---|
| 16 chars | Base64URL | ~96 bits | Negligible for most uses |
| 32 chars | Base64URL | ~192 bits | Virtually impossible |
| 64 chars | Hex | 256 bits | Computationally infeasible |
| UUID v4 | UUID | 122 bits | Extremely unlikely |
Never store API keys in plaintext. Store only a one-way hash (SHA-256 or better) in your database. When a request arrives with an API key, hash it and compare against the stored hash. This way, even if your database is compromised, attackers cannot recover the original keys.
Hashing is one-way: you cannot reverse a hash to obtain the original key. Encryption is two-way: with the key, you can decrypt to obtain the original. For API keys, hashing is preferred because there is no need to ever retrieve the original key after creation. If you lose the plaintext key, you should revoke it and generate a new one.
API keys should have limited lifespans to reduce the window of exposure if a key is compromised. Implement key expiration and rotation policies appropriate to your use case. Short-lived keys (days to weeks) are safer but require more rotation effort. Longer expiration (months to a year) is acceptable for low-risk internal services.
Even with expiration, some situations require immediate key revocation: a key is accidentally committed to a repository, an employee with key access leaves the company, or suspicious activity is detected. Maintain a revocation list (or use a database flag) to reject keys immediately upon revocation, regardless of expiration time.
API keys and OAuth tokens serve different purposes and have different security properties.
| Aspect | API Key | OAuth Token |
|---|---|---|
| Purpose | Identify application/project | Delegate user authorization |
| User context | Usually not user-specific | Associated with user grant |
| Expiration | Typically long-lived | Usually short-lived |
| Refresh mechanism | Manual rotation | Refresh token flow |
| Scope control | Static per key | Dynamic per grant |
API keys are commonly used as the basis for rate limiting. When a request arrives, extract the API key, look up its associated quota, and check whether the limit has been exceeded. If so, return a 429 Too Many Requests response with a Retry-After header. This prevents abuse while allowing fair access distribution across API consumers.
API key scoping limits what actions a key can authorize. For example, a key scoped to read:products cannot modify products. Scoping reduces the impact of key compromise by ensuring each key has only the permissions it needs.
Never store the plaintext key. Compute a SHA-256 hash of the key and store only the hash. When a request arrives, hash the provided key and compare against the stored hash. The original key cannot be recovered from the hash.
UUID v4 provides 122 bits of entropy with a standardized format, making it easy to parse and display. Random strings with Base64URL encoding can provide higher entropy density. Both are suitable; choose based on your display and parsing requirements.
API keys identify an application or project and typically do not carry user context. OAuth tokens represent a user's authorization grant and include user-specific permissions. API keys are static; OAuth tokens expire and can be refreshed.
Extract the API key from incoming requests, look up its usage record, increment the counter, and check against limits. If exceeded, return 429 with Retry-After. Use sliding window or token bucket algorithms for accurate limiting.
32 characters in Base64URL provides approximately 192 bits of entropy, which is computationally infeasible to brute force. It balances security with convenience for display and storage while fitting within most database column sizes.
Generate HMAC-SHA256 signatures for message authentication and webhook verification.
Decode and inspect JWT tokens to verify payloads, headers, and signature status.
Build and configure Cross-Origin Resource Sharing headers for API access.
Generate SHA-256 hashes for secure password and key storage comparison.
Analyze session tokens and JWTs for security properties and vulnerability detection.
Visualize OAuth 2.0 flows with sequence diagrams and security recommendations.
Create and sign custom JSON Web Tokens for API authentication testing.
Create strong, random passwords with customizable character sets and length.