API key format validator
Before you wire a key into an app or paste it into a config, it helps to confirm it is even the right shape — a truncated copy-paste or the wrong provider’s key is a common, frustrating source of 401 errors. This tool checks an API key’s prefix, length, and character set against the documented formats for the major LLM providers, entirely in your browser with no network calls.
How it works
The tool runs your key against a table of provider patterns. Each pattern
specifies a required prefix (such as sk-, sk-ant-, or gsk_), an expected
character set, and a plausible length range. It reports the first provider whose
prefix matches, then verifies the remaining structure and flags any mismatch —
for example a key that starts like an OpenAI key but is far too short to be
valid. OpenAI’s several variants (classic, sk-proj-, and sk-svcacct-) are
distinguished and labeled. Because the check is purely structural, no request is
ever made to any provider.
Recognised key formats
| Provider | Key prefix | Notes |
|---|---|---|
| OpenAI (standard) | sk- | Classic 51-character key |
| OpenAI (project key) | sk-proj- | Scoped to a specific OpenAI project |
| OpenAI (service account) | sk-svcacct- | Restricted key; may lack billing/metering scope |
| Anthropic | sk-ant- | All Claude API keys begin with this |
| Cohere | (alphanumeric, no standard prefix) | Validated by length and character set |
| Mistral | (alphanumeric) | Various lengths; validated structurally |
| Groq | gsk_ | Groq’s published prefix |
| Google AI Studio | AIza | Used for Gemini API access |
Why format checks are valuable
Catching truncated keys. The single most common cause of a correct-looking 401 error is a key shortened during copy-paste — either trailing characters cut off in a text box or a newline inserted mid-key. A length check catches this instantly without touching the API.
Distinguishing key types before use. OpenAI’s sk-svcacct- restricted keys lack certain API scopes (such as metering and fine-tuning). Recognising the variant before you build your integration avoids a mysterious permission error later.
Confirming you have the right provider’s key. When multiple LLM providers are in play, it is easy to paste Anthropic’s sk-ant- key into an OpenAI field. The prefix check makes the mismatch obvious immediately.
Tips and notes
- Format is necessary, not sufficient. A well-formed key can still be revoked or scoped wrong; only a real API call confirms it works, which this tool deliberately does not make.
- Watch for trailing whitespace. Some password managers pad keys with a space or newline. The validator trims these before checking, and flags if trimming was needed.
- Restricted keys are limited. OpenAI
sk-svcacct-and similar restricted keys may lack scopes (for example metering) that your call needs — check the key’s permissions in the provider dashboard. - Nothing leaves the page. With zero network calls it is safe to validate a production key here.