What is an API Key? Definition, Use, Security Best Practices

What is an API key?

An API key is a unique string of characters that identifies and authenticates the application or user making a request to an API. It's the simplest form of API authentication: include the key in the request header (or sometimes query string), and the server checks it against a database to allow or deny the call.

API keys are commonly used for: identifying which app/team is calling, applying rate limits, tracking usage for billing, and basic authorization. They are simpler than OAuth but also weaker — anyone with the key can impersonate the holder.

What an API key looks like

# Long random string
API_KEY="sk_live_4eC39HqLyjWDarjtT1zdp7dc"

# Sometimes prefixed for identification
API_KEY="ghp_aBcD1234eFgH5678iJkL9012mNoP3456qRsT"

How API keys are sent

Header-based is preferred — avoids URL logs leaking the key.

API key vs other auth methods

API key generation example

// Node.js
import crypto from 'crypto';

function generateApiKey(prefix = 'sk_live_') {
  return prefix + crypto.randomBytes(24).toString('hex');
}

const key = generateApiKey();
// sk_live_a1b2c3d4e5f6...

// Store HASH of key in DB, not key itself
const hash = crypto.createHash('sha256').update(key).digest('hex');
await db.apiKeys.insert({ user_id: userId, key_hash: hash });

Critical: store hash, not the raw key. Even if your DB leaks, attackers can't use the keys.

API key security best practices

• Treat keys as secrets. Never commit to git, never paste in screenshots.
• Use environment variables. API_KEY=... in .env (gitignored).
• Rotate regularly. Every 90 days; immediately on any suspicion of leak.
• Scope with permissions. Read-only key for read-only ops; least privilege.
• IP allowlist. Restrict which IPs can use the key.
• Different keys per environment. Dev/staging/prod keys separate.
• Hash, don't store raw. bcrypt/SHA-256 the key in your DB.
• Show key once at creation. Force user to copy + secure it; don't display again.
• Rate-limit per key. Detect/contain compromised keys.
• Log key usage. Audit trail; detect anomalies.
• Revoke on demand. Killswitch for compromised keys.

Common API key pitfalls

• Keys in client-side code. Anyone can view source. Never put server-API keys in JS.
• Keys in git history. Even after deletion, git history retains them. Force rotation.
• Keys in URLs. Logged by proxies, browsers, analytics. Use headers.
• Single key for everything. Compromise = total breach. Use scoped keys.
• No rotation. Long-lived keys are higher risk.
• No rate limiting. Compromised key = unbounded abuse.
• Storing raw keys in DB. Breach exposes them all.
• Sharing keys via Slack/email. Keys end up in many places. Use a vault.

API key use cases

FAQ: API keys

Are API keys secure?

Less than OAuth 2.0 or mTLS. They're single-secret bearer tokens — anyone with the key has access. Good for non-critical use cases; pair with rate limiting + IP allowlists.

API key vs OAuth: which to use?

API key for server-to-server, simple. OAuth for user-facing apps, third-party access on behalf of users, scoped permissions.

How do I rotate an API key?

Generate new key, deploy with both keys valid for a transition period, switch all clients to new, then revoke old.

Should API keys expire?

Yes — set expirations (90 days typical). Force renewal. Long-lived keys are leak risk.

Where do I store API keys?

Secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler) or environment variables. Never in code or git.

How do I detect a leaked API key?

GitHub secret scanning, gitleaks, truffleHog scan repos for committed keys. Monitor key usage patterns for anomalies.

Can I use API keys in mobile apps?

Risky — mobile binaries can be reverse-engineered. Better: OAuth with PKCE. If you must use API keys, scope them tightly + rotate often.

Test API-key-protected endpoints with LoadFocus

LoadFocus runs JMeter and k6 scripts that send API keys at scale, verifying rate limits + auth from 25+ regions. Sign up free at loadfocus.com/signup.