What are the valid characters for the APIKey?

Part of my solution involves encrypting and decrypting the APIKey for the user.

If the user enters the wrong password for the decrypt, they’ll get a string returned that is not their API key.

If I’m able to test the string for characters which I know would never be part of the API Key I may be able to (sometimes? frequently?) catch this user error without calling the API.

What characters may be part of the API Key? Alphanumeric, “-”, what else?


I’m pretty sure all the keys start “sk-” and are mixed-case alpha-numeric after that.

I think just looking for the first three characters will be enough to validate on the order of 99.998% of API keys before attempting to call a model.

Alternately (or additionally) you can call the List Models endpoint,

Which doesn’t cost anything and will not only validate the API key, but will also tell you the models the user has access to.

You could also store the key as a JSON object stringified, then throw error if you can’t parse JSON. Or store user’s password as bcyrpt hash so you can validate it before trying to decrypt. Or use a vetted encryption library that throws errors when incorrect key is provided.

1 Like

OpenAI API keys all seem to be of the form:

sk-[20 characters]T3BlbkFJ[20 characters] (corrected)

then you have to look at organization keys, Azure keys, goose.ai keys, years-old keys etc to see if you really want to validate against this, vs sign, salt, nonce, etc you can add.

They only seem to omit the number “1” from their otherwise base64 encoding.

Thanks for the information! Just for the sake of someone who might read this thread in the future, my API key follows the format:

sk-[22 characters]BlbkFJ[20 characters]

Looks like you are right. I was highlighting the characters in notepad++ and looking at the status bar, but it seems I inferred wrong. I forgot to post two more characters that seem common: “T3BlbkFJ”


You’re right, I’m seeing sk-[20 characters]T3BlbkFJ[20 characters].