An API Key is a long alphanumeric string (typically 32-64 characters) that acts as an access credential to an API. It works like a password: whoever has it can make authenticated requests.
It emerged in the 2000s when web APIs started gaining popularity. Google, AWS, and Stripe pioneered their use to control access and measure usage. Today they're the simplest and most common authentication method for machine-to-machine communication.
The key difference from user passwords: an API Key identifies an application or service, not a person. A single system can have multiple keys for different environments (development, staging, production) or for different clients consuming your API.
Don't confuse with JWT: a JWT is a self-signed token that contains data (claims) and expires. An API Key is opaque (contains no decodable information) and typically doesn't expire, although best practices recommend periodic rotation.
The standard flow: when a client wants to use your API, you generate a unique key for them. The client includes it in each request, typically in three ways:
- HTTP Header:
Authorization: Bearer your_api_key_hereorX-API-Key: your_api_key_here(most common and recommended). - Query string:
GET /api/data?api_key=your_api_key(insecure because URLs get logged in servers and proxies). - Body in POST: less common, similar logging problem as query string.
Your server receives the request, extracts the key, looks it up in the database and verifies: is it valid? is it active? does it have permissions for this endpoint? If everything checks out, you process the request. If not, you return 401 Unauthorized or 403 Forbidden.
Keys are stored hashed in the database (SHA-256 or bcrypt), just like passwords. You only show the key in plain text when generating it: after that the user must store it themselves. If they lose it, you generate a new one.
They're ideal for public APIs with rate limiting: services like Google Maps, OpenAI, SendGrid. Each key is associated with a project or account, allowing you to track usage and charge based on consumption.
Perfect for backend-to-backend integrations: your server calling an external service (Stripe, AWS S3, Twilio). No end user involved, just two systems talking.
Useful in webhooks: when you configure an external service to call your API when an event occurs, you give it a key to authenticate. You verify the request comes from who it claims to be.
Don't use for frontend applications (SPAs, mobile apps): the key would be exposed in client code. Anyone can extract it and abuse your API. For those cases, use OAuth 2.0 or JWT with short-lived tokens.
Don't use when you need granular per-user permissions. API Keys identify the client, not the end user. If your API needs to know who is performing the action (not just what app), you need JWT or session tokens.
Generation: use a cryptographically secure generator (crypto.randomBytes(32) in Node, secrets.token_urlsafe() in Python). Never use standard UUIDs or timestamps: they're predictable.
Transmission: HTTPS always. An API Key over plain HTTP is like shouting your password in the street. Headers, not query strings: prevents accidental logging.
Storage: hash keys in your DB. If your database gets hacked, the keys are useless without the original hash. The client must store the key in environment variables, never in versioned code.
Rotation: allow users to regenerate keys. Implement automatic expiration (30-90 days) to force rotation. Support for multiple active keys simultaneously facilitates rotation without downtime.
Rate limiting: associate request limits per minute/hour to each key. Prevents abuse and brute force attacks. Logging: record each use of each key (without logging the complete key, just an identifier) to detect anomalous usage.
Examples
X-API-Key: sk_live_51H8z2KL4m9n0pQ...Authorization: Bearer gfy_1a2b3c4d5e6f7g8h9i0jcurl -H 'X-API-Key: your_key' https://api.example.com/dataAPI_KEY=gfy_... node app.js (environment variable)SHA-256 hash stored: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
FAQ
What's the difference between API Key and JWT?
API Key is opaque (contains no data), identifies an app/service, typically doesn't expire. JWT contains decodable claims, identifies a user, expires in minutes/hours. JWT for frontend, API Key for backend.
Is it safe to put the API Key in the query string?
No. URLs get logged in servers, proxies, browser history. Use HTTP headers (X-API-Key or Authorization) and always HTTPS.
How do I rotate an API Key without causing downtime?
Support multiple active keys per client. Generate the new one, update your services to use the new one, then deactivate the old one. 24-48h window for migration.