What is an API Key? Auth Types Explained

In this guide

What is an API key?
How API keys work
API key vs OAuth vs Bearer token
Where to store your API key
How to get an API key
What to do if your key is compromised

What is an API key?

An API key is a long string of random characters that uniquely identifies your application to an API. Think of it as a password for your code — instead of a human logging in with a username and password, your application presents this key with every request it makes.

Analogy: An API key is like a library card. The library (the API) issues you a unique card number. Every time you borrow a book (make a request), you show your card. The library knows who you are, what you've borrowed, and can cut off your access if needed — without ever seeing your name or home address.

API keys serve three purposes: identification (who is making this request?), authorisation (are they allowed to do this?), and rate limiting (have they exceeded their quota?). They're the most common way to authenticate with public APIs.

How API keys work

When you sign up for an API, the provider generates a unique key for you. You include this key in every HTTP request you send. The server checks the key against its database before processing your request.

API keys are sent in one of two places:

In an HTTP header (most common)

      # The key is sent as a request header

      GET https://api.example.com/data

      X-API-Key: sk_live_a1b2c3d4e5f6g7h8i9j0

As a query parameter

      # The key is appended to the URL

      GET https://api.example.com/data?api_key=a1b2c3d4e5f6g7h8i9j0

Header-based keys are generally preferred because the URL (including query parameters) can appear in browser history, server logs, and referrer headers. Headers are more private.

What the API does with your key: The server looks up your key in its database, checks whether it's valid and active, verifies you have permission for that endpoint, increments your usage counter, and then — if all checks pass — processes your request.

API key vs OAuth vs Bearer token

Not all APIs use simple API keys. Here are the four main authentication patterns you'll encounter:

API Key

A static secret string issued to your app. Simple to use, great for server-side code. The key identifies your application, not a specific user. Best for: weather, mapping, data APIs.

OAuth 2.0

A flow that lets users grant your app access to their data on another service — without sharing their password. Your app gets a temporary access token. Best for: social login, calendar access, reading someone's tweets.

Bearer Token

A short-lived token your app receives after exchanging credentials (client ID + secret). Sent as Authorization: Bearer <token>. Expires and must be refreshed. Best for: microservices, B2B integrations.

Basic Auth

Your username and password, Base64-encoded and sent in the Authorization header. Simple but only safe over HTTPS. Increasingly rare in modern APIs — mostly found in older systems.

In the Find an API catalog, every API listing shows its authentication type so you know what to expect before you start integrating.

Where to store your API key

Never put your API key directly in your frontend JavaScript code. Anyone who views your page source or opens the browser's developer tools will be able to read it. The same applies to committing keys to a public Git repository — keys committed to GitHub have been found and abused within minutes.

The right way to handle API keys depends on where your code runs:

Server-side apps

Store in environment variables (.env file locally, secrets manager in production). Never hardcode. Access as process.env.MY_API_KEY in Node.js or os.environ.get() in Python.

Frontend / browser apps

Proxy requests through your own backend server. Your server holds the key, your frontend calls your server. Never expose API keys directly in client-side code.

CI/CD pipelines

Use your platform's secrets feature (GitHub Actions Secrets, Vercel Environment Variables, etc.). Keys are injected at build time and never stored in source code.

Add .env to your .gitignore before your first commit. Create a .env.example file instead that lists the variable names without the values, so collaborators know what they need to provide.

How to get an API key

The process is similar for almost every API:

1

Sign up for an account on the API provider's website. Most free-tier APIs just need an email address.
2

Navigate to the developer dashboard or settings. Look for sections labelled "API", "Developer", "Keys", or "Credentials".
3

Create a new key or application. Some providers let you create multiple keys — useful for separating development and production environments.
4

Copy the key immediately. Many APIs show the full key only once. If you miss it, you'll need to revoke and regenerate.
5

Store it in your environment variables — never in your code. Test with a quick API call to confirm the key works.

What to do if your key is compromised

If you accidentally expose your API key — pushed it to GitHub, pasted it in a chat, logged it somewhere public — act immediately:

1

Revoke the key immediately in the provider's dashboard. An exposed key should be treated as already compromised, even if you caught it quickly.
2

Generate a new key and update it in all your environments (development, staging, production).
3

Check your usage logs for any unusual activity between when the key was exposed and when you revoked it.
4

If it was in a Git commit, note that deleting the file isn't enough — the key will still be in the commit history. Use git filter-branch or BFG Repo Cleaner to scrub it, or treat the history as permanently exposed.

Prevention: Tools like Gitleaks and TruffleHog can scan your repository for accidentally committed secrets. GitHub also runs automatic secret scanning on public repos and alerts providers when it finds exposed keys.

Continue learning

What is an API?

Start here if you're new to APIs

What is REST?

HTTP methods and endpoints explained

What is JSON?

Reading API responses