Token / API Key Generator

Tokens are generated using the Web Crypto API's crypto.getRandomValues(), which provides cryptographically secure random bytes. These bytes are then encoded into the selected format (hex, alphanumeric, Base64, or URL-safe).

Hex is great for simple, lowercase tokens. Alphanumeric is the most common for API keys. Base64 packs more entropy per character. URL-safe is identical to Base64 but replaces + and / with - and _ so the token is safe to use in URLs without encoding.

32 characters is a solid default for most API keys. For high-security applications, 48–64 characters provides excellent protection. Remember that hex tokens carry 4 bits of entropy per character, while alphanumeric tokens carry ~5.95 bits per character.

Prefixes like sk_live_ or pk_test_ are conventions popularised by Stripe. They make it easy to identify the type and environment of a key at a glance, and help secret-scanning tools detect leaked keys in code repositories.

Yes, the randomness comes from the browser's cryptographic RNG, which is suitable for production use. However, always transmit tokens over HTTPS, store them hashed on the server side, and rotate them periodically.