Secret Keys Generator
Generate cryptographically secure API keys, tokens, UUIDs and secrets — in bulk, entirely in your browser.
This secret key generator creates developer-grade random keys for APIs, JWT and session secrets, encryption keys, salts and tokens. Every key is produced locally using your browser's cryptographically secure random source (crypto.getRandomValues) — no key is ever sent to a server, so it is safe for real production secrets. Pick a format (hex, Base64, Base64URL, alphanumeric, URL-safe, UUID v4 or a custom charset), set the length and count, add an optional prefix like sk_, and copy or download the results. The entropy in bits is shown for every key so you can confirm it is strong enough.
Frequently Asked Questions
Is this secret key generator cryptographically secure?
Yes. Every character is drawn from the browser's crypto.getRandomValues CSPRNG using rejection sampling to avoid modulo bias. It never uses Math.random, which is not suitable for secrets.
Are my generated keys sent anywhere?
No. All generation runs entirely in your browser with JavaScript. Nothing is uploaded, logged or stored on any server, which makes it safe to generate real production API keys and secrets.
What key formats can I generate?
Hex, Base64, Base64URL (URL-safe), alphanumeric, URL-safe (alphanumeric plus -._~), UUID v4, and a fully custom character set. This covers API keys, tokens, salts, encryption keys and database IDs.
How long should an API key or secret be?
Aim for at least 128 bits of entropy. A 32-character alphanumeric key is about 190 bits, and a UUID v4 carries 122 random bits. The tool shows the entropy in bits for every key so you can verify it meets your needs.
Can I generate many keys at once?
Yes. Set the Count field to create up to 500 keys in one click, then use Copy all or Download .txt to export them — useful for seeding many environments, tenants or test fixtures.
What does the prefix option do?
It prepends fixed text such as sk_ or pk_live_ to every generated key, matching the convention used by services like Stripe and OpenAI. The prefix is added after generation and is not counted in the entropy estimate.
What is the difference between Base64 and Base64URL?
Standard Base64 uses + and / characters, while Base64URL replaces them with - and _ so the key is safe to use in URLs, filenames and HTTP headers without escaping.
Can I use this for JWT or session secrets?
Yes. A long hex or Base64 key (for example 64 hex characters = 256 bits) makes a strong HMAC/JWT signing secret or session secret. Generate it here, then store it only in your server's environment variables.