What is an API Key?

What is an API Key?

“Welcome back to Fancy Club! May I see your membership card, please? Thank you very much, enjoy your visit.”

Just a bouncer at an exclusive event or club, software that you’re trying to gain access to wants to make sure you’re allowed in. Non-developers are used to this idea. They’ve been entering passwords to access their desktops for decades.

But API keys are a little different and have a broader range of functions and uses than mere passwords. For one thing, they’re not used by individual users.

It’s helpful to know what API keys are and what they can do, because not all APIs use them in the same way. There are times an API may not ask for an API key, and whether or not the developers have chosen to require them depends on the context of their project.

Get to know the different uses of API keys, and you also learn a lot about some of the foundations of modern cybersecurity. That’s interesting, but more importantly, useful.


    What is an API Key?

    An API key is a piece of identifying code that is used to identify a caller to an application programming interface (API).

    An API is the connection between two pieces of software. Specifically, one piece of software will use an API call to request some kind of information from another.

    When this happens, the second piece of software will check the API key supplied by the first. It might do this to see if the software making the request is authorized to do so. If it isn’t, the request will be denied. The API key can also be used to identify the specific caller – meaning the software, not the end user.

    What is an API key?

    What is an API key?

    When to use an API Key?

    The decision to use an API key in a particular way generally belongs to the developers of the software receiving the API call, not the software that will be making requests. As a result, if you’re developing a digital product and want to request information from another via an API, it’s not your choice whether to use one.

    For example, if your eCommerce delivery fulfillment application needs to use the Google Maps API for its map functionality, Google won’t give you the choice on whether to include an API key with your requests.

    That said, if you’re developing a digital product that others will be sending requests to, you do have some freedom when it comes to how – and whether – to use API keys.

    If that describes your situation, you may want to use an API key under the following circumstances:

    • To block anonymous traffic. If you’re receiving an API call from an anonymous source, you might not want them to have access to the answer to their questions – not least for security reasons.
    • To restrict the number of API calls you receive. Just like people, software can get overwhelmed when too much is asked of it. Consider the possibility of losing functionality because of excessive requests – potentially a disaster. Restricting the number of calls helps address this issue.
    • To identify traffic and any usage patterns. Rather than avoiding harm, this reason is about gaining an advantage – data from API keys can provide valuable insights.

    However, there are important things an API key can’t do.

    What is Java used for?

    API keys are not all-in-one access and data solutions. Areas where API keys may not be able help include:

    • Identifying individual users. For some large provider’s (like Google), rather than identify end users, API keys identify projects. However, some services offer ‘all-in’ API keys, where each user does have a unique key for both authentication and identification. If you use GitHub, you may even have one key per user, with the key granting access to multiple projects!
    • Identifying who created a project making an API call.
    • Secure authorization. For that, you’ll need authentication tokens.

    Regarding that final point, it’s worth spending a moment more on API security.

    Are API Keys secure?

    Short answer; nope.

    Long answer; because most of the time API keys can be accessed by clients, it’s not difficult to steal one. If your API security efforts relied solely on API keys, this would be a problem, as they don’t expire. The project owner needs to revoke or regenerate the key, in this event. That would, of course, mean that the project owner would need to realize the key had been stolen.

    While it’s true that some of the restrictions that can be added to keys mitigate this risk, there are far more effective ways to ensure security, such as Firebase Authentication or Auth0.

    Why do API Keys matter?

    API keys are so common today partly because of the rapid rise of Jamstack – an architecture that’s revolutionizing modern development. While this approach – which combines JavaScript, API, and Markup – isn’t the best solution for every project, its flexibility and modularity are key advantages and it will work for many projects.

    With APIs a component of Jamstack, API keys have also proliferated.

    Bring your project to life

    This article has only revealed the tip of the iceberg when it comes to APIs, Jamstack, and software development more broadly.

    If you’re ready to get your development project moving forward, why not drop us a line? We’d be excited to hear all about your project, your ambitions, and your goals. Who knows? As specialist digital product developers, we might be able to help you succeed.

    2022-06-0813 mins

    Alexander Smithers

    Hello! I'm the head of content at Develocraft. I'm also a startup guy (no joke)! I've worked with a lot of them and learned so much. I'm here to help you by sharing that knowledge. I'm always open to collaborations. Find me on LinkedIn.

    Share article