What Is API Key?
API Key Authentication
An API key is a unique string that identifies and authenticates an application making API requests. It's the simplest form of API authentication — include the key in request headers and the server validates it. API keys identify the caller but don't represent user identity like OAuth tokens do.
How API Key Works
API key usage: curl -H 'Authorization: Bearer sk-abc123...' https://api.example.com/data. The server checks the key against its database, applies rate limits, and returns data. Keep keys secret — never commit them to Git, store them in environment variables.
Key Concepts
- Server-Side Only — API keys should only be used server-side — never expose them in client-side JavaScript
- Environment Variables — Store keys in .env files (gitignored) or secrets managers — never hardcode
- Rate Limiting — API keys enable per-client rate limiting — track usage and enforce quotas
Frequently Asked Questions
API key vs OAuth?
API keys for server-to-server authentication (your backend calling an API). OAuth for user-context authorization (acting on behalf of a user). Don't use API keys for user authentication.