APIs & Authentication
What is an API key?
A secret string that identifies and authenticates a client when calling an API, usually passed in a header on each request.
An API key is the simplest form of API authentication: the service issues you a long random string, you include it in every request (typically as Authorization: Bearer sk_live_… or in an X-API-Key header), and the service uses it to identify your account, scope your permissions, and meter your usage.
Keys are easy to generate, rotate, and revoke, which is why they dominate developer-facing APIs. The trade-off versus OAuth is that an API key authenticates the application, not an end user, fine for server-to-server traffic, wrong for any flow where a real user's identity matters.
Keep API keys out of client-side code, public repos, and Slack channels. Use environment variables, secret managers (Vault, Doppler, AWS Secrets Manager), and short-lived keys with scoped permissions. Every leaked-key incident has the same post-mortem.
In the wild
- →
Authorization: Bearer sk_live_abc123… - →
X-API-Key: ctx_abc123… - →
?api_key=…query string (worst option, leaks into logs)
How Brand.dev uses api key
Endpoints in the Brand.dev API where this concept comes up directly.
FAQ
API key vs OAuth?
API keys identify an application. OAuth identifies a user (or, with client_credentials, an application). Use keys for server-to-server, OAuth when you need user-scoped access.
How should I store API keys?
Environment variables for development, a secret manager (1Password, Doppler, Vault) for production. Never check them into git.
What do I do if my API key leaks?
Revoke it immediately in the provider's dashboard, rotate to a new key, audit usage logs for unauthorized calls, and figure out how it leaked so it doesn't happen again.
Related terms
A protocol that lets users grant a third-party app limited access to their data on another service, without sharing their password.
A JSON Web Token, a compact, signed piece of JSON used to convey claims (who the user is, what they can do) between systems.
An Application Programming Interface, a contract that lets one program request actions or data from another in a stable, documented way.
An API that follows REST conventions, using HTTP methods on resource URLs to model create/read/update/delete operations.