What is API Key?

Turkish: API Key

An API key identifies an application or developer and supports quota tracking, access limits, and basic server-to-server security.

What is an API Key?

An API key is a unique secret used to identify the application, developer, or customer making an API request. It is usually sent in an HTTP header, where the API can check which plan, quota, or access rights apply.

An API key often answers “which integration is calling?” It does not, by itself, safely answer “which end user is this acting for?” When user authorization is required, OAuth2 or token-based flows are usually a better fit.

How It Is Used

  • Server-to-server integrations may send it in an X-API-Key or Authorization header.
  • Keys should be stored in environment variables or a secret manager.
  • Access can be restricted by IP, domain, referrer, endpoint scope, or plan.
  • Rotation, revocation, and usage logs should be planned before production use.

Security Considerations

If an API key is embedded in browser-side JavaScript, users can see it. Mobile apps should not be treated as fully secret storage either. Sensitive operations often need a backend proxy, short-lived token, or signed request in addition to the key.

A JWT can carry user or session context, while an API key usually manages application identity and usage quotas. The two mechanisms can be used together for different purposes in the same system.