What is API Key?
Turkish: API Key
An API key identifies an application or developer and supports quota tracking, access limits, and basic server-to-server security.
What is an API Key?
An API key is a unique secret used to identify the application, developer, or customer making an API request. It is usually sent in an HTTP header, where the API can check which plan, quota, or access rights apply.
An API key often answers “which integration is calling?” It does not, by itself, safely answer “which end user is this acting for?” When user authorization is required, OAuth2 or token-based flows are usually a better fit.
How It Is Used
- Server-to-server integrations may send it in an
X-API-KeyorAuthorizationheader. - Keys should be stored in environment variables or a secret manager.
- Access can be restricted by IP, domain, referrer, endpoint scope, or plan.
- Rotation, revocation, and usage logs should be planned before production use.
Security Considerations
If an API key is embedded in browser-side JavaScript, users can see it. Mobile apps should not be treated as fully secret storage either. Sensitive operations often need a backend proxy, short-lived token, or signed request in addition to the key.
A JWT can carry user or session context, while an API key usually manages application identity and usage quotas. The two mechanisms can be used together for different purposes in the same system.
Related Terms
JWT is a signed and encoded JSON-based token standard used to carry verifiable claims between APIs, clients, and services.
OAuth 2.0OAuth 2.0 is an authorization framework that allows third-party applications to access resources without the user's password.
Secrets ManagementSecrets management securely stores, distributes, rotates, and audits sensitive values such as API keys, passwords, and certificates.