About API Key Generator

Secure random API keys with prefix (sk_, pk_, whsec_) — base62 or hex. Part of the DevTools Surf developer suite. Browse more tools in the Generators collection.

Use Cases

• Backend devs generating secure keys for new API services
• DevOps engineers provisioning keys for CI/CD pipeline auth
• SaaS founders creating initial API credentials for beta users
• Security teams rotating compromised keys with fresh replacements

Tips

• Choose a prefix like sk_ or pk_ to signal key type
• Switch between base62 and hex encoding for your stack
• Generate multiple keys at once for multi-tenant setups

Fun Facts

• Stripe popularized the sk_/pk_ prefix convention around 2011, making it easy to distinguish secret keys from publishable keys — now an industry standard.
• A 32-character base62 key has approximately 190 bits of entropy, making brute-force attacks computationally infeasible even with modern hardware.
• GitHub's secret scanning program, launched in 2018, checks every public commit against known API key formats and has revoked millions of accidentally exposed keys.

FAQ

What prefix conventions does it support?

Common ones: `sk_` (Stripe-style secret), `pk_` (public), `whsec_` (webhook signing), `tok_`, plus a custom prefix field. Prefixes help you identify the key type in logs.

Base62 or hex output?

Both. Base62 is shorter and URL-safe; hex is more readable. Base58 (Bitcoin-style) is available if you want to avoid visually ambiguous chars (0/O, 1/l).

Is the randomness crypto-secure?

Yes — uses the browser's `crypto.getRandomValues`. Safe for real API keys, session tokens, and secrets.

How long should an API key be?

32 characters of base62 gives ~190 bits of entropy — plenty for any practical threat. Shorter keys need prefixes + secret rotation.