Token / API Key Generator
Generate cryptographically random tokens and API keys in multiple formats.
Frequently Asked Questions
How are the tokens generated?
Tokens are generated using the Web Crypto API's crypto.getRandomValues(), which provides cryptographically secure random bytes. These bytes are then encoded into the selected format (hex, alphanumeric, Base64, or URL-safe).
What format should I choose?
Hex is great for simple, lowercase tokens. Alphanumeric is the most common for API keys. Base64 packs more entropy per character. URL-safe is identical to Base64 but replaces + and / with - and _ so the token is safe to use in URLs without encoding.
What length should I use?
32 characters is a solid default for most API keys. For high-security applications, 48–64 characters provides excellent protection. Remember that hex tokens carry 4 bits of entropy per character, while alphanumeric tokens carry ~5.95 bits per character.
What is the prefix for?
Prefixes like sk_live_ or pk_test_ are conventions popularised by Stripe. They make it easy to identify the type and environment of a key at a glance, and help secret-scanning tools detect leaked keys in code repositories.
Are these tokens safe to use in production?
Yes, the randomness comes from the browser's cryptographic RNG, which is suitable for production use. However, always transmit tokens over HTTPS, store them hashed on the server side, and rotate them periodically.