What is an API Key?

A practical guide to the role of API keys in integrations, and how to handle them safely.

Quick answer

An API key is a secret value used to identify a client or app and allow access. Do not expose it publicly, do not embed it in frontend code, and separate it by use case.

Generate an API Key

What the key does

An API key identifies the caller and grants access. In some services it acts as the primary credential, but in many cases it is treated as a secret value for deciding who made the request.

Where it should live

Keep API keys in an environment variable or secret manager and read them only on the server. Avoid placing them directly in browser code or public repositories.

Do not hardcode it into frontend code
Store it in `.env.local` or a secret manager
Separate public-facing keys from admin keys

Operational tips

Split keys by purpose so an incident affects less surface area. If the service supports scopes, use the minimum scope needed, and retire keys you no longer use.

Many API keys work as bearer-style secrets, so it helps to plan rotation and exposure response before you need them.

Related guides

What is a JWT Secret?

A useful baseline for handling secret values in general.

API Key Generator

Create a ready-to-use API key in the browser.