diff --git a/.talismanrc b/.talismanrc
index 294bd12975..0832a6f9ad 100644
--- a/.talismanrc
+++ b/.talismanrc
@@ -14,7 +14,7 @@ fileignoreconfig:
 - filename: app/constants.py
   checksum: 44390d0a1258b184cf84dc9b6e97bd0768af84a9aa346ba963aa7735fc8bcb36
 - filename: app/dao/api_key_dao.py
-  checksum: ab93313f306c8a3f6576141e8f32d9fc99b0de7da8d44a1ddbe6ea55d167dcdb
+  checksum: c44cbd8ae02fb1d551a1f0941365c11977564a6444950ee2b0282ee4b5fd1314
 - filename: app/letters/utils.py
   checksum: 5e6071b9cab380f9f3ee172f8c731061241200f53453a9863f22bb5eaa05e6af
 - filename: app/notifications/process_notifications.py
@@ -74,7 +74,7 @@ fileignoreconfig:
 - filename: tests/app/conftest.py
   checksum: a80aa727586db82ed1b50bdb81ddfe1379e649a9dfc1ece2c36047486b41b83d
 - filename: tests/app/dao/test_api_key_dao.py
-  checksum: ef306fcc1dc512b74abeb5dde5f20977cf95e67a2fa049df6289a7b5500339a9
+  checksum: 40e551ca6677aab7657bbb43efdac56aa3c51065ed99052faff9bc1519e5b0df
 - filename: tests/app/notifications/test_process_notifications_for_profile_v3.py
   checksum: 4e15e63d349635131173ffdd7aebcd547621db08de877ef926d3a41fde72d065
 - filename: tests/app/notifications/test_send_notifications.py
diff --git a/app/dao/api_key_dao.py b/app/dao/api_key_dao.py
index 87b0aaba7b..1e1e8b8066 100644
--- a/app/dao/api_key_dao.py
+++ b/app/dao/api_key_dao.py
@@ -1,12 +1,12 @@
+import secrets
 import uuid
 from datetime import datetime, timedelta
 
-from app import db
-from app.models import ApiKey
+from sqlalchemy import func, or_, select
 
+from app import db
 from app.dao.dao_utils import transactional, version_class
-
-from sqlalchemy import or_, func, select
+from app.models import ApiKey
 
 
 @transactional
@@ -15,7 +15,7 @@ def save_model_api_key(api_key):
     if not api_key.id:
         api_key.id = uuid.uuid4()  # must be set now so version history model can use same id
     if not api_key.secret:
-        api_key.secret = uuid.uuid4()
+        api_key.secret = secrets.token_urlsafe(64)
     db.session.add(api_key)
 
 
diff --git a/tests/app/dao/test_api_key_dao.py b/tests/app/dao/test_api_key_dao.py
index 5167866e34..360ab9d309 100644
--- a/tests/app/dao/test_api_key_dao.py
+++ b/tests/app/dao/test_api_key_dao.py
@@ -187,3 +187,14 @@ def test_should_not_return_revoked_api_keys_older_than_7_days(
     all_api_keys = get_model_api_keys(service_id=service.id)
 
     assert len(all_api_keys) == expected_length
+
+
+def test_save_api_key_should_generate_secret_with_expected_format(sample_service):
+    service = sample_service()
+    api_key = ApiKey(
+        **{'service': service, 'name': service.name, 'created_by': service.created_by, 'key_type': KEY_TYPE_NORMAL}
+    )
+    save_model_api_key(api_key)
+
+    assert api_key.secret is not None
+    assert len(api_key.secret) >= 86