Are the keys truly random and secure?

Yes. Keys are generated with window.crypto.getRandomValues(), the W3C WebCrypto API, which provides cryptographically strong random numbers sourced from the OS entropy pool. They are suitable for use as secrets.

Is any key data sent to your servers?

No. All generation happens inside your browser. No key value is ever transmitted over the network. You can verify this by going offline and using the tool — it works identically.

What is the difference between the formats?

Hex produces lowercase hexadecimal (0-9, a-f), doubling the byte count to characters. Base64 (URL-safe, no padding) uses A-Z, a-z, 0-9, -, _ and is more compact. Alphanumeric uses only letters and digits, safe for any URL or config file. UUID produces a standard RFC 4122 v4 universally unique identifier.

How long should my API key be?

For most applications, 32-byte (256-bit) keys are more than sufficient. A 64-character hex key represents 32 bytes of entropy. For extra safety or when using base64, 43 characters (32 bytes) is a common choice.

Can I use UUID as an API key?

UUIDs are valid random identifiers (122 bits of entropy) and work well as API keys, database row IDs, or idempotency keys. They are slightly less compact than a hex or base64 key of the same byte length.

API Key Generator

Name: API Key Generator
Availability: InStock
Author: Nham Vu

Choose a format and length, then generate cryptographically secure API keys instantly — all client-side using WebCrypto. No server, no logging.

Key Options

Format

Key Length 32 chars

864128256

Batch Count (1 – 20)

Click Generate Key to create your first key

Copied!

Summary

Choose a format and length, then generate cryptographically secure API keys instantly — all client-side using WebCrypto. No server, no logging.

How it works

window.crypto.getRandomValues() fills a Uint8Array with cryptographically random bytes drawn from the operating system entropy pool.
The random bytes are encoded into your chosen character set: lowercase hex, URL-safe Base64, or alphanumeric.
For UUID mode, the bytes are formatted as an RFC 4122 version 4 identifier with the version and variant bits set correctly.
The finished key is rendered instantly in the browser and is never transmitted or logged.

Use cases

Create API authentication tokens for REST APIs and webhooks.
Generate secret keys for HMAC signing or JWT secrets.
Produce random UUIDs for database primary keys or session IDs.
Bulk-generate test credentials for staging environments.
Generate client secrets for OAuth 2.0 application registration.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu