API Key
What is API Key?
API KeyStatic secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request.
API keys are long, randomly generated strings that identify a project, service account, or developer to a backend API. They are simple to issue and use but offer weak guarantees: they identify the caller, not the user, do not expire by default, and grant whatever permissions are bound to them. Because they are static bearer secrets, anyone who obtains the string can impersonate the legitimate caller until the key is revoked.
The dominant failure mode is leakage through source control. GitHub reported that more than 39 million secrets were exposed across its platform in 2024, and GitGuardian's State of Secrets Sprawl research found AWS IAM keys in roughly 8% of scanned private repositories. A 2025 example was the public "Private-CISA" repository, where GitGuardian researcher Guillaume Valadon discovered exposed AWS GovCloud credentials, plaintext passwords, and SAML certificates tied to U.S. government systems. Keys also leak via mobile apps (decompiled APKs), front-end JavaScript bundles, CI logs, and screenshots.
Defences: store keys in a secrets manager rather than code, enable provider-side secret scanning and push protection, scope each key to the minimum endpoints, restrict by IP or HTTP referrer, set expiry and rotate on a schedule, and revoke immediately on exposure. For end-user authorization or high-value operations, prefer OAuth 2.0, mTLS, or HMAC-signed requests, which bind the credential to a user, audience, and short lifetime.
flowchart LR
A[Developer issues API key] --> B[Key embedded in app/config]
B --> C{Stored safely?}
C -->|Secrets manager + scanning| D[Caller -> API request<br/>Authorization header]
C -->|Committed to repo / APK / logs| E[Secret scanners + attackers<br/>harvest the key]
E --> F[Impersonation & abuse<br/>until revoked]
D --> G[Scope + IP allowlist + rotation<br/>limit blast radius]● Examples
- 01
Authorization: ApiKey sk_live_abc123...
- 02
Stripe, Google Maps, and Twilio APIs accessed via per-project API keys.
● Frequently asked questions
What is API Key?
Static secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request. It belongs to the Identity & Access category of cybersecurity.
What does API Key mean?
Static secret string issued by a service to identify and authenticate a caller, usually sent in a header or query parameter on every API request.
How do you defend against API Key?
Defences for API Key typically combine technical controls and operational practices, as detailed in the full definition above.