API Key Generator
Mint production-ready API keys with templates for Stripe, GitHub, OpenAI and UUID-style segmented keys. Custom prefixes, charset (alphanumeric / hex / base64url), segments, separator and optional checksum. Free, 100% private.
What is the API Key Generator?
API Key Generator mints API keys that mirror the formats real platforms use. Built-in templates: Stripe live (sk_live_…), Stripe test (sk_test_…), GitHub Personal Access Token (ghp_…), OpenAI-style (sk-…), UUID-style segmented (8-4-4-4-12 hex), 4-segment human-dictatable, and raw Base64URL. Or roll your own — set the prefix, charset (alphanumeric / hex / base64url), body length (4–128 chars), number of segments and the separator character. An optional checksum appends a single sum-mod-36 character so single-character typos can be caught client-side (useful when humans copy keys around). Crypto-strong throughout: alphanumeric mode uses rejection sampling to avoid modulo bias and the entropy meter ranks every configuration as weak / OK / strong / overkill against 80 / 128 / 256-bit thresholds. Batch up to 200 keys per click. Nothing leaves the browser.
How to use it
- Pick a template (Stripe, GitHub, OpenAI, UUID-style) or set custom prefix / charset / length / segments.
- Optionally toggle UPPERCASE body or append a checksum character.
- Choose how many keys to mint (1–200).
- Click Regenerate, copy individual keys or download the whole batch as .txt.
Benefits
- Seven built-in templates that mirror real platforms — Stripe live/test, GitHub PAT, OpenAI, UUID-style, segmented, raw Base64URL.
- Custom prefix, charset, segments, separator and length for keys that match your app's conventions.
- Optional checksum character — a simple sum-mod-36 that catches single-char typos when humans paste keys.
- Strength meter ranks every key as weak / OK / strong / overkill against 80 / 128 / 256-bit thresholds.
- Alphanumeric mode uses rejection sampling so each character has uniform probability — no modulo bias.
- Batch 1–200 keys per click with downloadable .txt export.
- UPPERCASE toggle for keys that need to be visually distinct.
- Runs 100% in your browser — keys never reach a server.
Frequently asked questions
How is this different from the Session ID Generator?
Session IDs are typically opaque random strings. API keys often have a brand prefix ('sk_live_'), are segmented for readability ('xxxx-yyyy-zzzz') and sometimes carry a checksum. This tool handles all three patterns; the Session ID Generator is the simpler tool for raw tokens.
Are these real Stripe / GitHub keys?
No — they share the format but the random body is generated locally. Using a Toollyz-generated key on Stripe or GitHub won't work; their backends won't recognise it. Use the format to test your own systems or to mint keys for your own API.
What's the checksum character for?
It's a single sum-mod-36 character we append after the body. If a user mistypes one character of the key, the checksum almost certainly won't match — useful to fail fast client-side before hitting your auth endpoint. It's not cryptographic.
Why are 'segments' useful?
Long uninterrupted strings are hard to dictate over a phone or read off a slide. Splitting into 4×6 or 5×6 with a `-` separator makes keys human-friendly without sacrificing entropy.
What charset should I pick?
Alphanumeric (a-z A-Z 0-9) is the default and works everywhere. Hex is best when keys need to be all digits/lower for case-insensitive systems. Base64URL packs more entropy per character — use it when key length matters.
Can I generate API keys offline?
Yes — that's the point. Everything happens in the browser; no AI service, no API, no network call. You can disconnect from the internet and the tool still works.
How long should an API key be?
For production traffic, target ≥ 128 bits of entropy — about 22 base64url chars or 32 alphanumeric chars. The strength meter shows live. Stripe-style 32-char alphanumeric keys are ~190 bits.
Are the keys safe to commit?
Never. Even though we generate them locally, treat them like any production secret — store in a secret manager, environment variable, or a vault. Don't put them in git.
Can I add my own template?
Not via the UI today. Use the custom settings panel to match your format, then save it as the default in localStorage by leaving the settings active.
Why isn't the checksum cryptographic?
It's a one-character typo detector — there are only 36 possible values, so an attacker who knows the algorithm can trivially compute it. The point is catching paste errors, not preventing forgery.
Is anything uploaded?
No. All key minting and strength calculation runs in your browser.
Related tools
See all developer toolsSession ID Generator
Generate cryptographically random session tokens.
UUID Validator
Verify any UUID and detect its version (v1-v8).
Password Generator
Create strong, secure passwords in 6 modes — with live entropy and crack-time analysis.
Hash Generator
MD5 + SHA-1/256/384/512 of text or file, with HMAC support.