API key
ay-pee-eye kee
A unique string that identifies and authenticates an application or user when making API requests.
An API key is a long, random string that acts as an identifier and credential for API access. When Stripe gives you a key like sk_live_51Hb... you include it in every API request. The server checks the key, determines which account it belongs to, and applies the right permissions and rate limits. No username, no password. Just the key.
API keys are the simplest form of API authentication. They work well for server-to-server communication where the key can be stored securely in environment variables. They are a poor choice for client-side code (anyone can view the source and steal the key) and for scenarios requiring fine-grained user permissions (an API key typically represents an account, not a specific user).
Most developer platforms issue two types of keys: test keys and live keys. Stripe prefixes them: sk_test_ for sandbox, sk_live_ for production. This prevents accidentally charging real credit cards during development. Keys can also be scoped: a read-only key for analytics, a write key for creating resources. If a key is compromised, you revoke it and generate a new one. The old key stops working immediately.
Examples
A developer integrates a payment API.
The developer signs up for Stripe, copies the test API key from the dashboard, and stores it in a .env file. The backend includes the key in the Authorization header of every request to Stripe's API. Stripe validates the key, confirms it belongs to a valid account, and processes the request. In production, the developer swaps the test key for the live key. Same code, different key, real payments.
A company rotates API keys after a security incident.
A developer accidentally commits an API key to a public GitHub repo. Within minutes, bots scan the commit and attempt to use the key. The security team detects unusual API activity, revokes the compromised key, and generates a new one. They update the key in their secret management system (AWS Secrets Manager), and all services pick up the new key automatically. Total exposure: 12 minutes.
A platform implements scoped API keys.
The analytics platform lets users create multiple API keys with different permissions. The data engineering team creates a key with read access to raw events. The marketing team creates a key that can only read dashboard data. The admin creates a key with full access. If the marketing team's key is compromised, the attacker cannot access raw data or modify anything. Scoping limits the blast radius.
In practice
Read more on the blog
Frequently asked questions
Should I use API keys or OAuth for my API?
API keys for server-to-server integrations where a single credential represents the whole account. OAuth for user-facing integrations where each user needs their own permissions. If a developer writes a backend script that calls your API, an API key is fine. If a developer builds an app where their users log in and access their own data, use OAuth. Many platforms offer both: API keys for simple integrations and OAuth for user-facing applications.
How do you store API keys securely?
Never in code or Git. Store them in environment variables for local development. Use a secret management service (AWS Secrets Manager, HashiCorp Vault, Doppler) for production. Set environment variables in your CI/CD platform (GitHub Actions secrets, Vercel environment variables). Never log API keys. Never include them in error messages. Never send them to the frontend. If you need to display a key in a dashboard, show only the last four characters.
Related terms
The process of verifying who a user is, typically through credentials like a password or token.
The process of determining what actions or resources an authenticated user is allowed to access.
An open standard that lets users grant third-party apps limited access to their accounts without sharing passwords.
Application programming interface: a defined way for software programs to communicate with each other.
Restricting how many requests a client can make to an API within a time window to prevent abuse and overload.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.