Does this verify the key actually works?

No. It only checks that the format matches a known provider pattern — prefix, length, and allowed characters. A correctly formatted key can still be revoked or invalid; only a real API call confirms it works, which this tool deliberately does not do.

Is my key sent anywhere?

No. There are zero network requests. All checks run in your browser against built-in regular expressions, so it is safe to paste a live key.

Which providers are recognized?

OpenAI (including project and restricted keys), Anthropic, Cohere, Mistral, Groq, and Google AI Studio. Unknown formats are reported as unrecognized rather than guessed.

Why does my OpenAI project key look different?

OpenAI issues several key shapes — classic "sk-" keys, project keys prefixed "sk-proj-", and restricted "sk-svcacct-" keys. The validator recognizes each and labels which variant you pasted.

API Key Format Validator

API key format validator

Before you wire a key into an app or paste it into a config, it helps to confirm it is even the right shape — a truncated copy-paste or the wrong provider’s key is a common, frustrating source of 401 errors. This tool checks an API key’s prefix, length, and character set against the documented formats for the major LLM providers, entirely in your browser with no network calls.

How it works

The tool runs your key against a table of provider patterns. Each pattern specifies a required prefix (such as sk-, sk-ant-, or gsk_), an expected character set, and a plausible length range. It reports the first provider whose prefix matches, then verifies the remaining structure and flags any mismatch — for example a key that starts like an OpenAI key but is far too short to be valid. OpenAI’s several variants (classic, sk-proj-, and sk-svcacct-) are distinguished and labeled. Because the check is purely structural, no request is ever made to any provider.

Tips and notes

Format is necessary, not sufficient. A well-formed key can still be revoked or scoped wrong; this only rules out obviously broken strings.
Watch for truncation. The most common failure is a key that lost characters during copy-paste — the length check catches that early.
Restricted keys are limited. OpenAI sk-svcacct- and similar restricted keys may lack scopes (for example metering) that your call needs.
Nothing leaves the page. With zero network calls it is safe to validate a production key here.