ToolSec

๐Ÿ”‘ Passwords & Secrets

What Is an API Key? (And How to Keep It Secret)

ยท 6 min read ยท Updated June 27, 2026

Almost every service you integrate with hands you an API key. They're simple in concept but easy to mishandle โ€” leaked keys are one of the most common causes of breaches. Here's what an API key is and how to treat it responsibly.

What is an API key?

An API key is a long, random string that identifies and authenticates an application (not a person) when it calls an API. The server checks the key on each request to decide whether to allow it and which account it belongs to. Think of it as a password for a program โ€” a secret that proves "this request is authorised."

API key vs password vs token

  • Password โ€” authenticates a human; meant to be memorised; should be hashed at rest.
  • API key โ€” authenticates an application; long and random; usually long-lived until rotated.
  • Token (e.g. JWT) โ€” often short-lived, may carry claims, and is issued after an auth step. See our JWT guide.

Unlike a password, nobody needs to remember an API key, so it should be as long and random as practical.

How much randomness does a key need?

Security comes entirely from the key being unguessable. Aim for at least 128 bits of entropy; 256 bits is a comfortable margin for long-lived keys. In practical terms that's roughly 32 hex characters or about 22 Base64url characters. Generating keys from a cryptographic random source โ€” not a human-chosen phrase โ€” is essential.

What about prefixes?

Many providers prefix keys to make them recognisable: Stripe uses sk_live_, GitHub uses ghp_. The prefix adds no security, but it helps humans and automated secret-scanners spot a leaked key instantly. The random body is what protects it.

Best practices for handling keys

  • Never commit keys to source control. Leaked Git history is a top source of exposed secrets โ€” and bots scan public repos within minutes.
  • Don't log them. Keys in log files or error messages are a common silent leak.
  • Store them in environment variables or a secrets manager, not in code or config files checked into the repo.
  • Scope and limit them. Use the narrowest permissions and, where possible, restrict by IP or domain.
  • Rotate regularly and immediately after any suspected exposure. Treat rotation as routine, not an emergency-only action.

If a key leaks

Revoke it immediately, issue a new one, and check the provider's logs for unauthorised use. Because keys are long-lived, a leaked key can be abused until it's revoked โ€” speed matters.

Try it

Generate cryptographically strong keys โ€” in hex, Base64url or alphanumeric, with an optional prefix โ€” using our API key generator, which shows the entropy for your settings. For human passwords instead, see the password generator.

Frequently asked questions

What's the difference between an API key and a password?

A password authenticates a person and is meant to be memorised. An API key authenticates an application, is long and random, and nobody needs to remember it โ€” so it should have far more entropy.

How long should an API key be?

Target at least 128 bits of entropy (about 32 hex or 22 Base64url characters); 256 bits is a safe choice for long-lived keys. Always generate them from a cryptographic random source.

What should I do if my API key leaks?

Revoke it immediately, generate a replacement, and review the provider's logs for unauthorised use. Because keys are long-lived, fast revocation limits the damage.

Try the related tools

Related guides