API Key
What is API Key?
API KeyStatic secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request.
API keys are long, randomly generated strings that identify a project, service account, or developer to a backend API. They are simple to issue and use but offer weak guarantees: they identify the caller, not the user, do not expire by default, and grant whatever permissions are bound to them. Best practices include storing keys in a secrets manager, never embedding them in client-side code or public repos, scoping each key narrowly, restricting them by IP or referrer, rotating them on a schedule, and revoking immediately when leaked. For end-user authorization or high-value operations, prefer OAuth 2.0, mTLS, or signed requests instead.
● Examples
- 01
Authorization: ApiKey sk_live_abc123...
- 02
Stripe, Google Maps, and Twilio APIs accessed via per-project API keys.
● Frequently asked questions
What is API Key?
Static secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request. It belongs to the Identity & Access category of cybersecurity.
What does API Key mean?
Static secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request.
How does API Key work?
API keys are long, randomly generated strings that identify a project, service account, or developer to a backend API. They are simple to issue and use but offer weak guarantees: they identify the caller, not the user, do not expire by default, and grant whatever permissions are bound to them. Best practices include storing keys in a secrets manager, never embedding them in client-side code or public repos, scoping each key narrowly, restricting them by IP or referrer, rotating them on a schedule, and revoking immediately when leaked. For end-user authorization or high-value operations, prefer OAuth 2.0, mTLS, or signed requests instead.
How do you defend against API Key?
Defences for API Key typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- appsec№ 459
Hardcoded Secrets in Code
Embedding credentials, API keys, tokens, or cryptographic material directly in source code, configuration files, or container images, where they are easily discovered and abused.
- appsec№ 052
API Security
The discipline of designing, building and operating application programming interfaces so that authentication, authorization, data exposure and abuse-resistance hold up under attack.
- identity-access№ 088
Bearer Token
An opaque or structured credential (RFC 6750) granting access to a resource simply by possession, without proof that the holder is the rightful owner.
- identity-access№ 749
OAuth 2.0
An open authorization framework that lets a resource owner grant a third-party application limited, scoped access to an API without sharing credentials.
- identity-access№ 1011
Service Account
A non-human identity used by an application, script, or service to authenticate to other systems, typically without interactive login.
- identity-access№ 233
Credential Vault
A centralized, audited service that securely stores, rotates, and brokers access to secrets such as passwords, API keys, certificates, and SSH keys.