API Key Generator
Generate a 32-character alphanumeric API key. ~190 bits of entropy — never to be brute-forced.
What makes a good API key?
An API key is a bearer credential — anyone holding it can act as the user it identifies — so it has to be both unguessable and safe to copy through tools like curl, environment variables, and config files that don't always handle special characters cleanly. Thirty-two alphanumeric characters give roughly 190 bits of entropy, which is well past anything an attacker could exhaustively search even with all the world's compute. Restricting to alphanumerics avoids shell-quoting, URL-encoding, and copy-paste bugs that symbols sometimes trigger in API client libraries. Computed locally on your device via crypto.getRandomValues() — your data stays on your device. Production keys should also include a routing prefix like sk_live_ so your backend can identify the key type at a glance.
Generated Password
Enable at least one character type
Very Strong
190.5 bits of entropy
Estimated crack time: centuries+(10 billion guesses/sec)
Bulk Generation
Count:
Options
Password Length32
4128
Character Types
Uppercase
(A-Z)
Lowercase
(a-z)
Numbers
(0-9)
Symbols
(!@#$%^&*_+-=)
Exclusions
Exclude Similar
(i,l,1,L,o,0,O)
Exclude Ambiguous
{}<>[]()/\|
Quick Presets
About API keys
Random 32-character alphanumeric strings give ~190 bits of entropy — well past any threshold for brute-force or birthday attacks.
- Search space: 62^32 ≈ 2.3 × 10^57 possibilities (~190 bits)
- Production convention: <prefix>_<random> e.g. sk_live_<32 chars> (Stripe), ghp_<36 chars> (GitHub)
- Store as SHA-256 hash on the server, never plaintext
- Rotate periodically and on any suspected compromise
- Treat as a secret: never commit to git, never log, never embed in client code