What is an API Key

An API key is a long random string that a server generates and a client sends with every API request. It identifies which application or account is making the call. The server looks up the key, finds the associated permissions, and processes the request.

How it works

The client includes the key in a header (Authorization: Bearer sk_live_abc123...) or query parameter. The server hashes the key and looks it up in its database. If found, the request proceeds with the key's associated permissions. If not found, the server returns 401 Unauthorized.

API keys are generated, not chosen by users. They should be stored hashed (not in plain text), transmitted only over TLS, and rotated periodically.

Why it matters

API keys are the simplest authentication mechanism — easy to generate, easy to use. They identify the application, not the user, which makes them ideal for server-to-server communication and developer tools. The tradeoff: they don't expire automatically, they're easily leaked in logs or source code, and they can't represent user-specific permissions.

See How API Authentication Works for API keys, OAuth, JWT, and session-based auth.

This concept appears in

How API Authentication Works — API Keys, OAuth, JWT, and Sessions

What is an API Key

How it works

Why it matters

Related

This concept appears in

Referenced by