🔐 CRYPTOGRAPHICALLY SECURE — uses crypto.getRandomValues()

API Key / Secret Key Generator

Generate cryptographically secure API keys, tokens, JWTs, and secrets

🔒 Passwords generated and stored locally — never transmitted. All keys are generated in your browser using the Web Crypto API.
🔑 Key Format
UUID v4 — 128 bits of randomness in standard UUID format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
Click Generate to create a key
128
Bits
36
Characters
UUID v4
Format
128
Entropy (bits)
📦 Bulk Key Generation
📚 Which Format Should I Use?
Use CaseRecommended FormatBitsExample
JWT Secret Hex 64 512 bits a3f9b2c1d4e5…
Session Token Hex 32 256 bits 8f4a2b1c3d5e…
API Token UUID v4 128 bits 550e8400-e29b…
Encryption Key Base64 256 bits K8mN2pQ7rS1t…
Database Password Hex 32 256 bits 3c9a1f2b4d6e…
CSRF Token Hex 32 256 bits 7b3d5f1a9c2e…
Security Note: Never commit API keys or secrets to version control. Use environment variables (.env files, CI/CD secrets, or secret managers) to store sensitive keys. Rotate keys immediately if exposed.

How to Generate a Cryptographically Secure API Key

A secure API key must be generated using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) — never using Math.random(), timestamps, UUIDs from non-crypto sources, or any predictable algorithm. PassKit.in uses crypto.getRandomValues(), the Web Crypto API's CSPRNG, to generate all keys with true randomness. A 32-byte Hex key (256 bits) has the same security level as AES-256 encryption keys.

API Key Formats Explained

What Is UUID v4?

UUID v4 (Universally Unique Identifier, version 4) is a 128-bit random identifier standardized in RFC 4122. Format: 550e8400-e29b-41d4-a716-446655440000. The "4" in position 13 identifies version 4 (random). Bits 64–65 are set to 10 (the RFC variant). PassKit.in generates compliant v4 UUIDs using crypto.getRandomValues(), setting bytes[6] = (bytes[6] & 0x0f) | 0x40 and bytes[8] = (bytes[8] & 0x3f) | 0x80 per the standard.

Why Not Use Math.random() for API Keys?

Math.random() is a pseudo-random number generator seeded by the current time. Its output is predictable — an attacker who knows the approximate time your key was generated can reconstruct the seed and brute-force possible outputs in milliseconds. Real-world attacks have exploited this in PHP (rand()), Java (java.util.Random), and JavaScript (Math.random()). Always use crypto.getRandomValues() (browser) or crypto.randomBytes() (Node.js) for security-sensitive values.

Frequently Asked Questions

UUID v4 is a 128-bit random identifier formatted as 32 hex digits with hyphens: 8-4-4-4-12. Version 4 means it is randomly generated (vs v1 which is time-based). PassKit.in generates RFC 4122-compliant v4 UUIDs using crypto.getRandomValues(): generate 16 random bytes, set byte 6 to version 4 (0x4x), set byte 8 to variant 2 (0x8x0xbx), then format as hex string with dashes.
Minimum 128 bits (16 bytes) of random data — this rules out brute force with any current hardware. Recommended: 256 bits (32 bytes) for API secrets, HMAC signing keys, and OAuth client secrets. For database row IDs where uniqueness matters more than secrecy, UUID v4 (122 bits effective) is sufficient. PassKit.in's Hex 32 format gives 256 bits — the same as AES-256 key strength.
Yes. All keys generated by PassKit.in use crypto.getRandomValues() — the same source used by your OS for cryptographic operations. They are suitable for API secrets, JWT signing keys, OAuth tokens, session IDs, HMAC keys, database UUIDs, and any security-sensitive application. Copy and use them directly.
For JWT HS256, use a 256-bit (32-byte) secret. PassKit.in's Base64 (44 chars) or Hex 32 (64 chars) formats both provide 256 bits. Base64 is slightly more compact and accepted by most JWT libraries. For HS512, use Hex 64 (512 bits). Never use a human-readable string as a JWT secret.