Instantly create cryptographically secure API keys with custom permission scopes and prefixes for your applications.
Configure the API key parameters using entropy-based sizing and permission scoping.
The key and metadata are generated entirely in your browser.
Conceptual calculation: The generator uses the Web Crypto API's crypto.getRandomValues() function to produce cryptographically secure random bytes. The number of bytes is calculated from the selected entropy (entropy / 8). These bytes are encoded into the selected format and combined with the prefix. The scopes are assembled into a JSON access policy object with metadata.
Key assumptions: The browser's CSPRNG is assumed to be properly implemented. Each generation is assumed to produce a unique key. The hash is computed using SHA-256 as a one-way representation.
Limitations and edge cases: Very high entropy values produce long keys that may exceed database limits. Some environments may have limited CSPRNG availability. The tool cannot detect conflicts with existing keys in your system.
Select the desired entropy level for your key (256 bits is recommended for most uses). Enter a prefix for key identification, select the encoding format, and choose the expiration timeframe.
Select the permission scopes that define what actions this key can authorize. Click "Generate Scoped Key" to create the key. Copy the plaintext key immediately and store it securely.
The generator calculates the required bytes from the selected entropy (bits / 8). It uses crypto.getRandomValues() to generate cryptographically secure random bytes. The bytes are encoded into the selected format and combined with your prefix.
The scopes are serialized into a JSON access policy alongside metadata including creation time, entropy level, and expiration.
The plaintext key is the credential to provide to API consumers. The SHA-256 hash is what you store server-side. The Access Control Policy JSON defines the authorized actions. The Key ID can be stored for display without exposing the full key.
This tool generates keys for testing and development. For production systems, use dedicated secrets management services. Always implement key rotation, revocation, and monitoring according to your security policies.
API keys are credentials that identify and authorize access to APIs. Unlike user authentication tokens, API keys typically identify an application or project rather than an individual user. Proper scoping of API keys limits what actions can be performed, reducing the impact of potential key compromise.
Entropy measures the randomness of a key in bits. Higher entropy means more possible key values, making brute-force attacks computationally infeasible. A key with 256 bits of entropy has 2^256 possible values—an astronomically large number that cannot be brute-forced with current computing technology.
| Entropy Level | Possible Values | Security Level | Recommended Use |
|---|---|---|---|
| 64 bits | 2^64 | Weak | Internal only, short-lived |
| 128 bits | 2^128 | Standard | General API access |
| 192 bits | 2^192 | Strong | Elevated access |
| 256 bits | 2^256 | Very Strong | Production, sensitive data |
| 384+ bits | 2^384+ | Maximum | High-security environments |
The principle of least privilege states that each key should have only the permissions necessary to perform its intended function. A key scoped to read:analytics should not be able to write or delete data. This limits damage if the key is compromised.
API scopes typically follow a resource:action pattern. Common scopes include read, write, delete, and admin. More granular scopes might be resource-specific like read:users, write:orders, or delete:products.
Prefixes like sk_live_, sk_test_, or api_ serve multiple purposes: they identify the key type at a glance, help with key rotation by indicating which system issued the key, and prevent accidental use of test keys in production environments.
Use sk_live_ or prod_ for production keys, sk_test_ for test environment keys. This visual distinction helps developers quickly identify key purpose and reduces the risk of using test keys in production systems.
Never store plaintext API keys. Compute a SHA-256 hash of the key and store only the hash in your database. When a request arrives, hash the provided key and compare. This ensures that even if your database is compromised, attackers cannot recover the original keys.
Implement regular key rotation based on sensitivity and compliance requirements. High-security environments may require monthly rotation, while lower-risk APIs might use quarterly or annual rotation. Always have a revocation mechanism for immediate invalidation when needed.
When a request arrives with an API key, your server should: extract the key, look up its associated hash and scope policy, verify the key hasn't expired or been revoked, then check whether the requested action is within the granted scopes. Return 403 Forbidden if the scope check fails.
An API key scope defines what actions a key can authorize. For example, a key scoped to read can only perform read operations, not write or delete. Scoping limits damage if a key is compromised.
The keys generated here use cryptographically secure random number generation and meet entropy requirements for production use. However, always use proper secrets management services for enterprise deployments and ensure secure storage practices.
Prefixes help identify key type and environment at a glance, aid in key rotation management, and prevent accidental use of test keys in production systems.
Extract the API key from requests, look up its stored hash and scope policy, verify expiration and revocation status, then check if the requested action matches the granted scopes before allowing access.
256 bits (32 bytes) of entropy provides sufficient security for most production API keys. This produces a 32-character Base64URL string or 64-character hex string. Higher entropy is recommended for high-security or long-lived tokens.
Rotation frequency depends on key sensitivity and compliance requirements. High-security environments may need monthly rotation, while standard APIs might use quarterly or annual rotation. Always maintain a revocation mechanism for immediate invalidation.
Decode and inspect JWT tokens to verify payloads, headers, and signature status.
Generate HMAC-SHA256 signatures for message authentication and webhook verification.
Build and configure Cross-Origin Resource Sharing headers for API access.
Generate SHA-256 hashes for secure password and key storage comparison.
Generate secure API tokens with custom permissions and TTL for granular access control.
Analyze session tokens and JWTs for security properties and vulnerability detection.
Create and sign custom JSON Web Tokens for API authentication testing.
Create strong, random passwords with customizable character sets and length.