[ ROOT ]
$GENERATE-RANDOM.ORG
Developer Tools for Random Data Generation // v2.6.1
root@generate-random:~/api-keys/php$ _

Generate API Keys in PHP

Complete code tutorial with examples and best practices

PHP
JavaScript Python Java C# C++ Ruby Go

[ Code Example - Quick Summary ]

Language: PHP

What: Generate cryptographically secure API keys in PHP using <code>random_bytes()</code> for authentication systems. API keys should be random, unpredictable, and contain sufficient entropy (128-256 bits recommended).

Try it: Use our interactive Api-keys generator or integrate this code into your PHP application.

Generate cryptographically secure API keys in PHP using random_bytes() for authentication systems. API keys should be random, unpredictable, and contain sufficient entropy (128-256 bits recommended). Looking for other languages? Check our code examples in JavaScript , Python , Java , C# , C++ , Ruby and Go or use our interactive web generator.

PHP Code Example

<?php
// Generate 32-byte (256-bit) API key
function generateApiKey(int $length = 32): string {
    $bytes = random_bytes($length);
    return bin2hex($bytes);
}

// Example: 64-character hexadecimal API key
$apiKey = generateApiKey(32);
echo $apiKey;
// Output: "a7f3e9c2d8b4f1a6e5c9d7b3f8a2e6c4d9b5f7a3e8c6d2b9f4a7e1c5d8b3f6a9"

// Base64 URL-safe encoding (shorter, 43 chars for 256 bits)
function generateApiKeyBase64(int $length = 32): string {
    $bytes = random_bytes($length);
    return rtrim(strtr(base64_encode($bytes), '+/', '-_'), '=');
}

$apiKeyBase64 = generateApiKeyBase64(32);
echo $apiKeyBase64;
// Output: "p3_pwr2L8RpuXJbT-IouaztX86jG0rmU9KfhxdizNpo"

// Calculate entropy: 32 bytes = 256 bits
// Collision probability: 1 in 2^256 (astronomically low)

[EXPLANATION]

This implementation uses PHP's random_bytes() function which provides cryptographically secure random data. The hexadecimal encoding produces a 64-character string for 32 bytes, while Base64 URL-safe encoding produces a shorter 43-character string with the same entropy. Both formats are suitable for API keys, with Base64 being more compact for transmission and storage.

Expected Output

Hexadecimal (64 chars): a7f3e9c2d8b4f1a6e5c9d7b3f8a2e6c4d9b5f7a3e8c6d2b9f4a7e1c5d8b3f6a9
Base64 URL-safe (43 chars): p3_pwr2L8RpuXJbT-IouaztX86jG0rmU9KfhxdizNpo
Base64 URL-safe (32 bytes): kL7mP9tR3wX6hY2jN8vB4qS1eC5fA9xD0pT7gU6iM3n

Common Use Cases

  • REST API authentication tokens
  • Service-to-service authentication
  • Webhook secret keys
  • OAuth client secrets
  • Internal microservice communication keys

Important Notes

  • Use minimum 128 bits (16 bytes) for API keys, 256 bits (32 bytes) recommended
  • random_bytes() is cryptographically secure (CSPRNG)
  • Base64 URL-safe encoding uses -_ instead of +/
  • Store API keys hashed in database (bcrypt/Argon2)
  • Never log or expose API keys in error messages

Try Our Interactive Generator

Don't want to write code? Use our free web-based Api-keys generator with instant results.

TRY API-KEYS GENERATOR →

Other Programming Languages

JAVASCRIPT $ view --lang=javascript

View Api-keys generation code examples in JavaScript
PYTHON $ view --lang=python

View Api-keys generation code examples in Python
JAVA $ view --lang=java

View Api-keys generation code examples in Java
C# $ view --lang=csharp

View Api-keys generation code examples in C#
C++ $ view --lang=cpp

View Api-keys generation code examples in C++
RUBY $ view --lang=ruby

View Api-keys generation code examples in Ruby
GO $ view --lang=go

View Api-keys generation code examples in Go