API Keys: Generation and Best Practices

An API key identifies and authenticates an application (or a user's project) making requests to a service. In practice an API key is just a long random secret — but the practices around generating, storing, and retiring it are what keep your platform safe. Here is what good API key handling looks like.

Keys vs tokens

The terms overlap, but a useful distinction is lifetime and ownership. An API key usually identifies a long-lived integration and is created in a dashboard, while a token is often short-lived and issued automatically during a login or OAuth flow. Both should be high-entropy random secrets, and both should be hashed at rest.

Generating the key

• Use a CSPRNG. Generate at least 32 random bytes (256 bits) from a cryptographically secure source — never a timestamp, counter, or Math.random().
• Encode for transport. Base64URL or hex keeps the key safe in headers, URLs, and config files.
• Add a prefix. A recognizable prefix such as sk_live_ or myapp_ helps with debugging and lets secret scanners catch leaks.
• Consider a checksum. Some providers append a short checksum so obviously malformed keys can be rejected before a database lookup.

Storing keys safely

• Hash before storing. Keep only a SHA-256 hash of the key in your database. When a request arrives, hash the presented key and compare. A database breach then leaks no usable keys.
• Show once. Reveal the full key to the user a single time. Afterwards display only a masked form like sk_live_••••4f2a.
• Never log full keys and never embed them in client-side bundles, mobile apps, or public repositories.

Scoping and limits

• Least privilege. Attach granular scopes so a read-only key cannot write or delete.
• Separate environments. Use distinct keys for test and live, and make the difference obvious in the prefix.
• Rate-limit per key so a leaked key cannot be abused at scale before you notice.

Rotation and revocation

Keys leak — through screenshots, logs, departing employees, and mistakes. Plan for it:

• Make rotation easy. Let users create a new key and run both old and new in parallel during a grace period before disabling the old one.
• Support instant revocation. One click should permanently invalidate a compromised key.
• Track usage. Record last-used timestamps and source so anomalies and unused keys are easy to spot.

If a key leaks

Revoke it immediately, issue a replacement, and review access logs for unexpected activity. Because you stored only a hash and can revoke instantly, a leak becomes an incident you contain rather than a breach.

Generate an API key now

Use the More tab's token generator to create a prefixed, high-entropy key in your browser, or the .env Bundle tool to produce a full set of application secrets at once. Hash the result with the Hashes tab before storing it.