API Key Validator & Identifier
Paste any API key or token and instantly see which service issued it — OpenAI, Anthropic, Google, GitHub, Stripe, AWS and 12+ more — and whether the format is structurally valid. It all runs in your browser; the key is never uploaded.
How it works
The identifier is a pure, deterministic pattern matcher — no machine learning and no network calls. Each of the 18+ providers it knows has a rule describing its keys: the allowed prefixes, the character set of the body, a length range, and any special checks. Every rule cites the issuer's own key-format documentation, which is the authoritative source for that provider's format.
- Normalize. The input is trimmed and one layer of wrapping quotes is stripped (a common artefact of copying from a
.envfile). Empty input, or anything longer than 512 characters, is rejected with a clear message rather than a silent failure. - Match most-specific-prefix-first. Prefixes are tested longest-first, so
sk-ant-api03-wins oversk-, andsk-proj-orsk-or-v1-win over a baresk-. - Check each rule independently. Prefix, length, and character set are recorded separately so the tool can explain whya near-miss failed — for example “right prefix, wrong length” means the key was likely truncated on copy.
- Verify the GitHub checksum. For GitHub classic tokens (
ghp_,gho_,ghu_,ghs_,ghr_) GitHub appends a checksum: the last 6 characters are thebase62(CRC32(body))of the token body. Recomputing it offline confirms the token is well-formed — the one provider whose keys we can genuinely validate without touching the network. - Flag the environment. Stripe encodes live vs. test in the prefix, so
sk_live_is highlighted as a real-money key andsk_test_as sandbox-only. - Handle ambiguity and misses honestly. When several formats match a generic prefix, the tool lists the candidates instead of a false-confident single answer. When nothing matches, it reports signals (looks like 32-char hex? a UUID? Base64? a JWT?) and, for a JWT, points you to the dedicated decoder rather than half-parsing it here.
Identification is confirmed by two independent passes over the rule set that must agree, and the key value is never stored, logged, or sent anywhere. The tool reports format only — it deliberately never checks whether a key is active, because doing so would leak the secret.
Worked examples
Frequently asked questions
Sources & references
Every format rule cites the issuer's own key-format documentation. Primary references:
- OpenAI — API authentication & key formats
- Anthropic — API getting started (key format)
- Google Cloud — API keys (AIza format)
- GitHub — behind the new token formats (checksum scheme)
- Stripe — API keys (live/test, sk_/pk_/whsec_)
- Slack — token types (xoxb-, xoxp-, xapp-)
- AWS — IAM identifiers (AKIA/ASIA access key IDs)
The full per-provider rule set — 36 rules across 18+ issuers — lives in the tool's data module, each entry carrying its own source URL and a last-verified date of 2026-07-08.
Related tools
Comments & feedback
Spotted a bug or want an improvement? Tell us — our team reviews every comment, and good ideas get built. Comments are public and anonymous.
Spotted a key format we miss, or a rule that's out of date?
Email me at [email protected] — most fixes ship within 24 hours.