Laravel APP_KEY Generator
The exact base64:-prefixed key that php artisan key:generate produces.
$ php artisan key:generate --show
The format is strict, and Laravel checks it
Laravel's APP_KEY is the one framework secret on this site whose format is genuinely validated. php artisan key:generate emits base64: followed by standard base64 of 32 random bytes — 51 characters in total. The base64: prefix is part of the value, not documentation: strip it and Laravel reads the remaining 44 characters as raw key bytes, and the length check fails. And it must be standard base64, with + and / and = padding. Feed it base64url and it decodes to different bytes with no error message, leaving you with an app that cannot decrypt what it encrypted yesterday.
32 bytes, not 32 characters
Laravel's own config/app.php comment says the key "should be set to a random, 32 character string". That is misleading: Encrypter::generateKey() asks for 32 bytes, which base64 prints as 44 characters. The byte count is driven by the cipher — aes-256-cbc (the default in every recent skeleton) wants 32 bytes, aes-128-cbc wants 16 — and Encrypter::supported() compares the decoded length against the cipher with strict equality. A 32-byte key on an AES-128 config throws immediately.
What rotating it costs
Everything Laravel has encrypted with the old key becomes unreadable: sessions, cookies, and any column you put behind encrypted casts. On a running app that means logged-out users at best and unrecoverable data at worst, so treat rotation as a migration, not a config change. Keep the key in .env, out of the repository, and generate a distinct one per environment — a staging key that also unlocks production is not a second key.
Why does the key start with base64:?
Because the prefix is part of the value, not a label. Laravel uses it to know the rest is base64-encoded rather than raw key bytes. Strip it and Laravel reads the 44 remaining characters as raw bytes, which fails the cipher's strict length check.
32 characters or 32 bytes?
32 bytes. Laravel's own config comment says "32 character string", which is misleading: Encrypter::generateKey() requests 32 bytes for aes-256-cbc, and base64 prints those as 44 characters. With the base64: prefix the whole value is 51 characters.
What happens if I change APP_KEY on a live app?
Everything Laravel encrypted with the old key becomes unreadable: sessions, cookies, and any column using encrypted casts. Users get logged out, and encrypted data is lost unless you re-encrypt it during the transition. Treat rotation as a migration.
Nothing leaves your browser
- Don't take our word for it — turn off your wifi. Every generator on this site keeps working with the network disconnected. That's the whole proof, and it takes five seconds.
- Every value comes from
crypto.getRandomValues()— the CSPRNG built into your browser, neverMath.random(). - Generated secrets are never transmitted, logged or stored: no server-side generation, no cookies, no localStorage.
- Verify it yourself in the network tab: after loading, the page only talks to our self-hosted, cookie-less analytics — which counts page views and which generator type gets copied, never any value.
- Strict Content-Security-Policy; no third-party script origins.