API key

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

An application programming interface (API) key is a unique identifier used to authenticate a user, developer, or calling program to an API.[1] However, they are typically used to authenticate a project with the API rather than a human user.[1][2] Different platforms may implement and use API keys in different ways.


The API key often acts as both a unique identifier and a secret token for authentication, and will generally have a set of access rights on the API associated with it.[3]

HTTP APIs[edit]

API keys for HTTP-based APIs can be sent in multiple ways:[4]

In the query string:

POST /something?api_key=abcdef12345 HTTP/1.1

As a request header:

GET /something HTTP/1.1
X-API-Key: abcdef12345

As a cookie:

GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345


API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.[2] If an API key is meant to be accessible to the client, it is only considered secure if used together with other security mechanisms such as HTTPS/SSL.[4]


API keys of Android apps were leaked due to having been hardcoded into apps.[5]


  1. ^ a b "API Key - What is an API Key?". Last Call - RapidAPI Blog. Retrieved 2019-09-20.
  2. ^ a b "Why and when to use API keys | Cloud Endpoints with OpenAPI". Google Cloud. Retrieved 2019-09-20.
  3. ^ IBM Application Security on Cloud (Generating API Keys)
  4. ^ a b "API Keys". Archived from the original on 2019-10-17.
  5. ^ "Hundreds of popular Android apps contain hard-coded secret keys". ZDNet. Retrieved 2022-06-20.

Book sources[edit]

External links[edit]