Tech blog and developer tools
An API key is a unique identifier used to authenticate requests to an API (Application Programming Interface). Think of it like a password that identifies your application rather than a user. API keys were popularized in the early 2000s when companies like Google, Amazon, and eBay started opening their services to third-party developers and needed a simple way to track and control access.
Unlike OAuth tokens, which are designed for user-level authentication, API keys are typically tied to a project or application. They are commonly passed via HTTP headers (like Authorization: Bearer ...), query parameters, or request bodies.
Fun fact: the concept of API keys predates REST APIs. Early web services using SOAP and XML-RPC already used similar key-based authentication as far back as 2002. Today, almost every major platform from Stripe to OpenAI uses API keys as the primary method of authenticating programmatic access.
A 256-bit key has more possible combinations than atoms in the observable universe (~10^77). Even a 128-bit key would take billions of years to brute-force with current technology. That is why key length directly impacts security.
Never hardcode API keys in source code. Use environment variables or secret managers like AWS Secrets Manager, HashiCorp Vault, or Doppler. Rotate keys regularly and use different keys for development and production.
Companies like Stripe use prefixes such as "sk_live_" and "sk_test_" to distinguish between live and test keys. This prevents accidental use of test credentials in production and makes leaked keys easier to identify.
API keys are often used for rate limiting. Services track how many requests each key makes per minute or day. Google Maps, for example, allows 28,500 free map loads per month per key before charging.