.env · security

Laravel APP_KEY Generator

Generate a Laravel APP_KEY (base64:... format) in your browser. Identical to php artisan key:generate. Nothing is uploaded or logged.

Be the first to rate
Laravel APP_KEY (base64, 32 bytes)
Identical to what php artisan key:generate produces
Key value
.env line
APP_KEY=
CLI alternative (Artisan)
Generate and write to .env
php artisan key:generate
Print only (no write)
php artisan key:generate --show

What it does

  • Generates base64:-prefixed key matching php artisan key:generate output
  • 32 bytes of cryptographic randomness via crypto.getRandomValues
  • One-click copy of key only or full APP_KEY=… .env line
  • No PHP or Artisan required

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Setting up a new Laravel project without a local PHP environment
  • Generating a key for a staging environment in CI/CD
  • Quickly rotating APP_KEY after a suspected compromise
  • Provisioning a Laravel app key in a Docker or cloud deployment script

Common mistakes

  • Committing APP_KEY to git — use .env.example with APP_KEY= (blank) instead
  • Using the same APP_KEY across development and production environments
  • Rotating the key without backing up encrypted data or planning for user sessions
  • Omitting the base64: prefix — Laravel will refuse to start without it

What is the Laravel APP_KEY?

Laravel uses APP_KEY to encrypt cookies, signed URLs, queued job payloads, and anything passed through Laravel's encryption/decryption layer. It is a 32-byte key encoded as base64:<value>.

Without a valid APP_KEY, Laravel throws a RuntimeException: No application encryption key has been specified and refuses to start. The key must be set before any data is encrypted — changing it in production invalidates all existing encrypted values.

Format — why the base64: prefix?

Laravel's Encrypter class reads the prefix to know the key is base64-encoded, then decodes it before use. The raw key must be exactly 32 bytes for AES-256-CBC (the default cipher). This tool always generates a 32-byte key for AES-256.

How to set it up

  1. Copy the generated key and add it to .env:
    APP_KEY=base64:<paste here>
  2. For production (Forge, Vapor, Railway), set the variable in the platform's environment settings — never commit it.
  3. Your .env.example should have APP_KEY= with a blank value so teammates know it is required.

Frequently asked questions

What happens if APP_KEY changes in production?

All existing encrypted values become unreadable and all signed cookies are invalidated. Users are logged out and any data encrypted with the old key (queued job payloads, signed URLs, encrypted model attributes) is permanently inaccessible. Plan a maintenance window before rotating in production.

Is the base64: prefix part of the actual key?

No. The base64: prefix is a signal to Laravel's Encrypter class that the key is base64-encoded. Laravel strips it and decodes the raw 32-byte key before using it for AES-256-CBC encryption. The prefix must be present — omitting it causes a runtime error.

What cipher does Laravel use with APP_KEY?

AES-256-CBC by default (the CIPHER setting in config/app.php). The raw key must be exactly 32 bytes for AES-256-CBC or 16 bytes for AES-128-CBC. This tool always generates a 32-byte key for AES-256.

Is it safe to use this instead of php artisan key:generate?

Yes. This tool uses crypto.getRandomValues — the browser's CSPRNG, which draws from the same OS entropy pool as PHP's random_bytes(). The output is statistically equivalent. Nothing is uploaded or logged.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.