home / api-key
secretgenerator · api-key
Stripe-style API key generator
Tokens in the prefix_random shape that Stripe popularized: a static identifier ('sk_live', 'ghp', 'xoxb') makes leaked tokens trivially classifiable in repo scans, plus a base62 random body sized for ≥128 bits. Default 32 characters of base62 = ~190 bits.
defaults
| prefix | sk |
| separator | _ |
| body length | 32 chars (~190 bits) |
| min entropy | 128 bits |
generate
runs in your browser · WebAssembly · same code as the CLIcli
Default sk_*
secretgenerator api-key --json
Stripe live secret key
secretgenerator api-key --prefix "sk_live" --length 40 --json
GitHub-style PAT
secretgenerator api-key --prefix "ghp" --separator "_" --length 36 --json
snippets
Python generate_api_key.py
import secretgenerator_py as sg result = sg.api_key(prefix="sk_live", length=40) print(result["password"], "—", result["entropy_bits"], "bits")
Node.js generate-api-key.mjs
import { execFileSync } from "node:child_process";
const json = execFileSync("secretgenerator", [
"api-key", "--json", "--require-schema-version=1",
"--prefix", "sk_live", "--length", "40"
], { encoding: "utf8" });
const out = JSON.parse(json);
console.log(out.password, "—", out.entropy_bits, "bits"); Rust main.rs
use secretgenerator::{api_key, ApiKeyOptions};
let r = api_key(ApiKeyOptions::default().prefix("sk_live").length(40))?;
println!("{} ({:.1} bits)", r.password, r.entropy_bits);
# Ok::<_, secretgenerator::Error>(()) faq
Why does the prefix matter for security?
GitHub's secret scanning, Trufflehog, gitleaks, and similar tools recognize known prefixes. A leaked token with a recognizable prefix gets revoked within minutes by upstream platforms; an opaque random string can sit in a public repo for months.
Should the prefix be counted toward entropy?
No. The prefix is a public identifier; only the base62 body contributes entropy. Set --length to size the secret body alone.