What Is an API Key?
An API key is a static token used to authenticate programmatic access to an application programming interface, a string of characters an application includes with each request to prove it’s allowed to call that API. Unlike a human login, there’s typically no username, no MFA prompt, and often no expiration: whoever holds the key can make the calls it authorizes.
That simplicity is also the risk. API keys get copied into config files, environment variables, CI/CD pipelines, and sometimes committed directly into source code. Once a key exists in more than one place, which is common, there’s no single system that can say with confidence everywhere it’s currently stored or used.
Because a key is just a string, revoking access after an employee leaves or a vendor relationship ends requires someone to actually know the key exists and rotate it. API keys created for a one-off integration years ago routinely stay valid long after anyone remembers issuing them, which is why they’re a recurring finding in breach post-mortems: not because the technology is unusual, but because no one owns the cleanup.