API Key Generator
Generate secure API keys for application authentication. Create alphanumeric, hexadecimal, Base64, and UUID format keys with customizable prefixes, suffixes, and security options.
API Key Generator
Generate secure API keys for application authentication. Create alphanumeric, hexadecimal, Base64, and UUID format keys with customizable prefixes, suffixes, and formatting.
API Key Format Comparison
| Format | Example | Typical Length | Entropy | Common Use | Security |
|---|---|---|---|---|---|
| Alphanumeric | sk_live_51Hx9Z9K3qR8M4nT7W2Y6P1A... | 32-64 chars | High | Most common, URL-safe | Excellent |
| Hexadecimal | a1b2c3d4e5f67890abcd1234ef567890 | 32-64 chars | Medium | Compact representation | Good |
| Base64 | dGhpcyBpcyBhIHRlc3QgS2V5IQ== | 24-44 chars | Very High | Maximum entropy | Excellent |
| UUID | 123e4567-e89b-12d3-a456-426614174000 | 36 chars | High | Standard format | Excellent |
API Key Security Practices
| Practice | Importance | Description | Implementation |
|---|---|---|---|
| HTTPS Enforcement | Critical | Always use HTTPS for API key transmission | Server configuration, HSTS headers |
| Rate Limiting | High | Prevent brute-force attacks | API gateway, middleware |
| Key Rotation | High | Regularly change API keys | Automated rotation system |
| Usage Monitoring | Medium | Track and audit key usage | Logging, analytics dashboard |
| Key Revocation | Critical | Quickly disable compromised keys | Admin panel, automated alerts |
| Environment Separation | High | Different keys for dev/staging/prod | Separate configurations |
Common Use Cases
Third-party API Integration
AlphanumericExternal services accessing your API
32 chars • 1 year • High - rate limiting, IP whitelistingMobile App Backend
Base64Mobile applications calling your API
40 chars • 90 days • Very High - combine with user tokensInternal Microservices
UUIDService-to-service communication
36 chars • 180 days • Medium - internal network onlyWebhook Endpoints
HexadecimalExternal services posting to your webhooks
64 chars • Indefinite • High - use with request signingAPI Key Implementation Example
// Node.js Express API with API key authentication
const express = require('express');
const app = express();
// Store API keys (in production, use database or Redis)
const validApiKeys = new Set([
'sk_live_51Hx9Z9K3qR8M4nT7W2Y6P1A',
'sk_test_78J3k9L2m1N5p8Q7R4T6W9Y0Z'
]);
// API key middleware
const apiKeyAuth = (req, res, next) => {
const apiKey = req.headers['x-api-key'] ||
req.query.api_key;
if (!apiKey) {
return res.status(401).json({
error: 'API key required'
});
}
if (!validApiKeys.has(apiKey)) {
return res.status(403).json({
error: 'Invalid API key'
});
}
// Add key info to request
req.apiKey = apiKey;
next();
};
// Protected route
app.get('/api/data', apiKeyAuth, (req, res) => {
res.json({
message: 'Access granted',
key: req.apiKey.substring(0, 10) + '...'
});
});
// Rate limiting (using express-rate-limit)
const rateLimit = require('express-rate-limit');
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per window
message: 'Too many requests'
});
app.use('/api/', apiLimiter);# API Documentation Example
## Authentication
All API requests require an API key.
### Header Method (Recommended)
```http
GET /api/data HTTP/1.1
Host: api.example.com
X-API-Key: sk_live_51Hx9Z9K3qR8M4nT7W2Y6P1A
```
### Query Parameter Method
```http
GET /api/data?api_key=sk_live_51Hx9Z9K3qR8M4nT7W2Y6P1A
```
## Rate Limiting
- 100 requests per 15 minutes per key
- Rate limit headers included in responses
## Key Management
- Rotate keys every 90 days
- Different keys for different environments
- Monitor usage in dashboard
- Revoke compromised keys immediately
## Error Responses
```json
{
"error": "Invalid API key",
"code": 403,
"message": "The provided API key is invalid"
}
```
## Best Practices
1. Never commit API keys to version control
2. Use environment variables
3. Implement HTTPS only
4. Monitor for suspicious activity
5. Have a key revocation processFrequently Asked Questions
An API key is a unique identifier used to authenticate a user, developer, or calling program to an API. It's typically a long string of letters and numbers that identifies the application or user making the API request.
For security, API keys should be at least 32 characters long. 32-64 characters is typical. Longer keys are more secure but harder to work with. Consider using 32-character alphanumeric keys as a good balance.
Alphanumeric (A-Z, a-z, 0-9) is most common and URL-safe. Hexadecimal is shorter but only 0-9, A-F. Base64 provides more entropy but may need URL encoding. UUIDs are standard but longer (36 chars).
Generally no. Alphanumeric keys are URL-safe and avoid encoding issues. If you need special characters, use only URL-safe ones (-, _, ., ~). Avoid characters that need URL encoding like ?, &, =, /, +, #, %.
Never hardcode API keys in source code. Use environment variables, configuration files (not committed to version control), or secret management services. In client-side applications, use backend proxies to protect keys.
Always use HTTPS (never HTTP). Include keys in request headers (Authorization or X-API-Key headers). Never include in URLs as query parameters. Use short expiration times and refresh tokens when possible.
Yes, prefixes (like 'prod_', 'dev_', 'test_') help identify the environment and purpose. They make key management easier and help prevent accidentally using production keys in development.
Regular rotation is a security best practice. Rotate keys every 90 days for high-security applications, or annually for lower-risk systems. Immediate rotation is required if a key is compromised.
API keys identify the application, while tokens identify the user. API keys are typically long-lived, while tokens are short-lived (minutes to hours). Use API keys for application authentication, JWT/OAuth tokens for user authentication.
