How API keys work for authentication

· Category: API & REST

Short answer

API keys are opaque strings issued to clients that identify the caller and enforce rate limits and permissions.

Steps

  1. Generate cryptographically random keys that are long and unguessable.
  2. Distribute keys securely through developer portals or encrypted channels.
  3. Require keys in a header or query parameter on every request.
  4. Validate keys against a database and attach metadata such as tier and rate limits.
  5. Rotate keys periodically and provide self-service revocation.

Tips

  • Never embed API keys in client-side code exposed to end users.
  • Use separate keys for different environments such as staging and production.
  • Monitor key usage for anomalies that indicate compromise.
  • Scope keys to specific endpoints or operations when possible.

Common issues

  • Keys leaked in public repositories or browser network tabs.
  • Lack of key rotation forcing emergency shutdowns.
  • Storing keys in plaintext databases rather than hashing or encrypting them.
  • Using API keys as the sole security mechanism for sensitive operations.

Example

curl -X GET https://api.example.com/users   -H "Accept: application/json"   -H "Authorization: Bearer $TOKEN"

This curl command demonstrates a standard GET request with headers for content negotiation and bearer token authentication.