How Long Should You Make Your API Key

Developers commonly generate unique API keys for clients. But how long does an API Key need to be to make the chances of a collision smaller than the chance that your computer might be struck by lightning? Fewer than you’d think, argues Sam Corcos, co-founder of SightMaps over at

Developers often think they need a 50-digit monster to ensure API key uniqueness. But a little bit of math shows you most likely don’t need a digit half that long. Sam shows how you can calculate the probability of a key collision with a simple formula.

To work out the chances of a collision, you first need to know how many possible API keys you can generate and how many keys you will ever need to generate. The number you can generate is easy to calculate: it’s simply the number of characters that could appear in the key (so lower case letters, digits 0 to 9 and uppercase letters, for example) to the power of the number of digits in a key. The number of keys you will need, that you’ll have to guess. A safe bet is 10x the number of API clients you can expect in the lifetime of the API.

The magic formula is then 1 minus the probability of having no collisions, which can be approximated with the formula Euler’s number e to the power of k(k-1)/2n where k is the number of possible keys needed and n is the number of possible keys that could ever be generated.

With this formula you can work out that with a 62 char alphabet for your API, while the chance of a collision for a key of 3 digits is nearly one, with ten digits, the chances are less likely than being struck by lightning while you read this.

The lesson is: you can easily work out yourself how long your API key needs to be and the chances are it’s smaller than you think. 

Be sure to read the next Security article: Hundreds of Apps Found with Hard Coded Secret Tokens

Original Article

How Long Should I Make My API Key?