API Key Generator
Secure tokens for developers. Hex, Base64, alphanumeric, or UUID format.
API Key Best Practices
- Never commit keys to Git. Use
.envfiles listed in.gitignore. If a key is accidentally committed, consider it compromised and rotate immediately — even if you force-push to remove it, the history is cached. - Use environment variables in production. Inject keys via your hosting platform's secrets management (Vercel, Netlify, AWS) rather than config files.
- Implement key rotation. Support multiple active keys so you can deploy a new key before revoking the old one (zero-downtime rotation).
- Apply the principle of least privilege. Give each key only the permissions it needs. Use separate keys for read vs. write access.
- Monitor usage. Log API key usage and set up alerts for unusual patterns (rate spikes, requests from new IPs).
Key Storage Hierarchy
| Method | Security | Best For |
|---|---|---|
| Secrets manager (Vault, AWS SM) | Excellent | Production systems |
| CI/CD secrets (GitHub Actions) | Good | Build pipelines |
.env files (local only) | Acceptable | Local development |
| Hard-coded in source | Terrible | Never |
| Client-side JavaScript | Terrible | Never (use server proxy) |
Common Key Prefixes by Service
| Service | Format |
|---|---|
| Stripe | sk_live_, pk_live_, sk_test_ |
| GitHub | ghp_, ghs_, ghu_ |
| AWS | AKIA (access key ID) |
| Slack | xoxb-, xoxp- |
Using a prefix makes keys easier to identify, scope, and detect when leaked. Secret scanning tools on GitHub automatically flag keys matching these patterns.
Frequently Asked Questions
What is an API key?
An API key is a secret token used to authenticate requests to an API or service. It acts as both an identifier and a password. API keys should be treated with the same security as passwords — never committed to code, shared publicly, or transmitted over unencrypted channels.
What format should I use?
Hex is the most common for internal tokens. Base64 is compact and URL-safe. Alphanumeric is human-readable and avoids encoding issues. UUID-style follows the standard UUID format. Choose based on your API's requirements.
What is a key prefix (like sk_live_)?
Prefixes help identify the key's purpose and environment at a glance. Common conventions: sk_live_ (secret, production), sk_test_ (secret, testing), pk_live_ (public, production). Stripe popularized this pattern. It also helps secret scanners detect leaked keys.
How should I store API keys?
1) Environment variables — store in .env files, never committed to Git. 2) Secrets managers — AWS Secrets Manager, HashiCorp Vault, or Doppler for production. 3) Never in source code, client-side JavaScript, or public repositories.
How often should I rotate API keys?
Rotate at least every 90 days, or immediately if compromised. Implement graceful rotation: generate a new key, update all services, then revoke the old one. Many APIs support multiple active keys to enable zero-downtime rotation.
How long should an API key be?
32 characters minimum (192+ bits of entropy for hex). 40-64 characters is standard. Longer keys provide more entropy but don't significantly change security beyond 256 bits. Choose the shortest length that meets your security requirements.