Authentication & Identity

API Key

An API key is a simple secret token used to authenticate requests to an API, typically passed as a query parameter or HTTP header. Unlike OAuth tokens, API keys are usually long-lived and tied to an application rather than a specific user. API keys should be treated like passwords: stored securely, rotated regularly, and never committed to source code repositories. Leaked API keys in GitHub repos are a common source of cloud account breaches.

Why it matters for your website

1Directly impacts resistance to account takeover and credential theft
2Required for SOC 2, HIPAA, and PCI-DSS compliance
3Misconfiguration can expose all user accounts to attack

Check your site for API Key issues

Run a free scan to see if your domain has any API Key-related vulnerabilities or misconfigurations.

Related Terms

Bearer Token
JWT
OAuth

Browse Glossary

View all 85 terms

Free Security Scan

See your SSL, headers, CORS, DNS, and email security score in seconds.