ToolNimba Browse

🔑 API Key and Token Generator

By ToolNimba Engineering Team · Updated 2026-06-19

    Set your options and press Generate keys. Everything runs in your browser and nothing is sent anywhere.

    This API key generator creates strong, random tokens and secret keys right in your browser. Choose the length, pick a format (hexadecimal, base64url, or alphanumeric), add an optional prefix, and generate one or many keys at once. Every value is built from your browser cryptographic randomness, so nothing is ever sent over the network. Generate the keys, copy them, and paste them straight into your environment file, secret manager, or config.

    What is the API Key Generator?

    An API key is a string of characters that identifies and authenticates an application or user when it calls an interface. Because anyone holding the key can act with its privileges, the key needs to be unpredictable. The safest way to achieve that is to draw the characters from a cryptographically secure random source rather than from a regular pseudo-random function. In the browser that source is the Web Crypto API, specifically crypto.getRandomValues, which is exactly what this tool uses for every character it produces.

    The format you pick changes which characters appear, not how the randomness is generated. Hexadecimal uses 16 symbols (0 to 9 and a to f), so each character carries 4 bits of entropy. Alphanumeric uses 62 symbols (A to Z, a to z, 0 to 9), giving about 5.95 bits per character. Base64url uses 64 symbols (the alphanumeric set plus a hyphen and an underscore), giving a clean 6 bits per character and staying safe to drop into URLs and file names without escaping. More entropy per character means a shorter string can still be very hard to guess.

    A prefix is a short label placed in front of the random part, such as sk_live_ or tn_. Prefixes do not add security, they add clarity: they let you tell a publishable key from a secret one at a glance, route the key to the right system, and scan code repositories for leaked secrets by pattern. This generator keeps the prefix separate from the random body so the strength of the key always comes from the random portion, never from the label.

    When to use it

    • Creating a secret key or access token for a new service, microservice, or webhook integration.
    • Generating a random API key to store in a .env file or a secret manager during local development.
    • Producing a batch of unique tokens at once for seeding a database, testing, or issuing to multiple clients.
    • Adding a recognizable prefix so publishable and secret keys can be told apart and scanned for in code.

    How to use the API Key Generator

    1. Set the length, meaning how many random characters the key should contain (longer is harder to guess).
    2. Choose a format: hexadecimal, base64url, or alphanumeric.
    3. Optionally type a prefix such as sk_live_ to label the key.
    4. Set how many keys you want and press Generate keys, then copy one key or use Copy all.

    Formula & method

    entropy (bits) = length × log2(alphabet size). Hex = 4 bits per char, alphanumeric ≈ 5.95 bits per char, base64url = 6 bits per char. The prefix adds no entropy.

    Worked examples

    You generate a 32-character base64url key with no prefix.

    1. Base64url has 64 symbols, so each character carries log2(64) = 6 bits.
    2. Total entropy = 32 × 6 = 192 bits.
    3. Possible values = 64 to the power of 32, far beyond any feasible brute-force guess.

    Result: A 32-char base64url key holds about 192 bits of entropy, more than enough for a secret key.

    You generate a 40-character hexadecimal key with the prefix tn_.

    1. Hex has 16 symbols, so each character carries log2(16) = 4 bits.
    2. Total entropy = 40 × 4 = 160 bits (the tn_ prefix adds none).
    3. The stored key reads tn_ followed by 40 random hex characters.

    Result: A 40-char hex body gives 160 bits of entropy; the prefix is only a readable label.

    Bits of entropy by format and length (random body only, prefix excluded)

    Length (chars)Hex (4 bits)Alphanumeric (≈5.95 bits)Base64url (6 bits)
    1664 bits95 bits96 bits
    2496 bits143 bits144 bits
    32128 bits190 bits192 bits
    48192 bits286 bits288 bits
    64256 bits381 bits384 bits

    Character sets used by each format

    FormatAlphabetSymbolsURL-safe
    Hexadecimal0-9, a-f16Yes
    AlphanumericA-Z, a-z, 0-962Yes
    Base64urlA-Z, a-z, 0-9, hyphen, underscore64Yes

    Common mistakes to avoid

    • Treating the prefix as part of the security. A prefix like sk_live_ is a label, not a secret. All of the strength comes from the random body, so keep the random part long enough (24 characters or more) regardless of the prefix.
    • Making keys too short to save space. A very short key is faster to type but far easier to guess. For a secret key, aim for at least 128 bits of entropy, which is about 32 hex characters or 24 base64url characters.
    • Committing a generated key to a public repository. Once a secret key is pushed to a public repo it is compromised, even if you delete it later. Store keys in environment variables or a secret manager and add them to your ignore file.
    • Reusing one key everywhere. Sharing a single key across many services means one leak exposes all of them. Generate a separate key per service or client so you can rotate or revoke just the affected one.

    Glossary

    API key
    A string that identifies and authenticates an app or user when it calls an interface, granting whatever access that key is allowed.
    Token
    A generated credential, often used like an API key, that proves identity or grants access without sending a password each time.
    Entropy
    A measure of unpredictability, in bits. More bits mean exponentially more possible values and a harder key to guess.
    Base64url
    A 64-symbol encoding (letters, digits, hyphen, underscore) that is safe to place in URLs and file names without escaping.
    Prefix
    A short readable label placed in front of the random part of a key to identify its type or owner. It adds no security.
    CSPRNG
    A cryptographically secure pseudo-random number generator, the kind of randomness suitable for secrets. The browser exposes it as crypto.getRandomValues.

    Frequently asked questions

    How are these API keys generated?

    Each character is drawn from your browser built-in cryptographic randomness using crypto.getRandomValues, the Web Crypto API source meant for secrets. The tool maps those random bytes onto the chosen alphabet without modulo bias, so every character is equally likely.

    Are the keys sent to a server?

    No. The entire generator runs as client-side JavaScript in your browser. No key, prefix, or setting is transmitted, logged, or stored anywhere. You can even disconnect from the network and it still works.

    Which format should I choose?

    Base64url packs the most entropy per character and is safe in URLs and file names, so it is a good default. Hexadecimal is handy when a system expects only 0-9 and a-f. Alphanumeric avoids the hyphen and underscore if a service rejects those symbols.

    How long should an API key be?

    For a secret key, aim for at least 128 bits of entropy. That is roughly 32 hexadecimal characters, 24 base64url characters, or 22 alphanumeric characters. Longer is fine and costs nothing but a few extra bytes.

    What is the prefix for?

    A prefix is a readable label such as sk_live_ or tn_ that helps you tell key types apart, route them, and scan code for leaks. It adds no randomness, so the security still depends entirely on the length of the random body.

    Can I generate many keys at once?

    Yes. Set the count up to 50 and press Generate keys to get a list. Copy any single key with its own button, or use Copy all to put the whole list on your clipboard, one key per line.