There are some inconsistencies on the application keys formats validations:

When the app auth type is "API Key (User key)":

user_key:

• The UI says:

Only alphanumeric characters [0-9, a-z, A-Z], hyphen-minus , no spaces and 256 characters at most.

• But the code is in fact validating a Base 64 string:
  https://github.com/3scale/porta/blob/3scale-2.13.2-GA/app/models/cinstance.rb#L112-L117
• Besides, the method to auto-generate new user keys is generating 16-byte hexadecimal strings:
  https://github.com/3scale/porta/blob/3scale-2.13.2-GA/app/models/cinstance.rb#L515

When the app auth type is "App_ID and App_Key Pair" or "OpenID Connect":

app_id:

• The UI doesn't allow setting the App Id, but it can be done through the API endpoint:

POST /admin/api/accounts/{account_id}/applications.xml

• The code is validating all characters between 32 and 126 in the ASCII table, including spaces, brackets, etc.
  https://github.com/3scale/porta/blob/3scale-2.13.2-GA/app/models/cinstance.rb#L119

app_key/client_key:

• The UI says:

Only alphanumeric characters [0-9, a-z, A-Z], hyphen-minus , between 5 and 256 characters long. No spaces allowed.

• But the code is validating all characters between 32 and 126 in the ASCII table, including spaces, brackets, etc.:
  https://github.com/3scale/porta/blob/3scale-2.13.2-GA/app/models/application_key.rb#L14-L16

This needs some rework: either we update all UI labels to match the backend validations, or we update backend validations to something that makes more sense. Or both. It doesn't make sense to allow spaces in app ids and app keys, IMO.