The API key is a string used to authenticate applications when they make an API request. For API services that handle sensitive data, private keys are a fundamental piece of the architecture, as they allow access only to data and services for which authorization is granted.

API keys are also widely used for monitoring and managing APIs: in fact, they allow tracking the use of services by individual clients and applying call limitations, preventing abuse and security risks.

API key: what is it?

An API key (Application Programming Interface Key) is a unique identifier, generally a randomly generated string of characters, used to authenticate clients and provide them access to APIs.

The application adds its API key to each request directed to a certain API or to a set of API services, which can use the key to identify the application and authorize the request.

The API key is a code that must be carefully stored and kept confidential, exactly like a password. However, unlike a password, the API key does not refer to a real user and does not need to be changed periodically to ensure its security.

Public and private API keys: differences and what they are used for

There are two main types of keys used to access data and services via API: public and private ones.

Public API keys are those used for access to non-sensitive data and features that do not require authentication. They are generally used to integrate functionalities or services from other applications: for example, they are what allow access to Google Maps or social media functionalities.

The usefulness of public API keys lies essentially in monitoring: they are in fact used to track service usage and apply rate limiting, limiting the number of requests a user can make to a specific API over a given period.

Private API keys, on the other hand, are used to access sensitive data or services that need to be controlled, such as payment services. These keys are issued by API service providers to a specific user and must not be shared with others.

Sometimes public and private keys are used together: this happens, for example, when the client uses the private key to generate a digital signature to include in the request. In this case, the API server can verify the digital signature using the corresponding public key. Used in this way, API keys allow tracing the specific users who sent the requests, ensuring a high level of security.

How to use an API key?

To use a private API key to access a service provided via API, it is necessary to request it from the provider offering the relevant APIs, such as Openapi. The first step is to create an account with the API provider and choose the type of service to use.

At that point, the provider supplies the key, which must be copied and stored with the utmost care: in most cases, in fact, the key is data the provider does not have access to, and therefore impossible to recover if lost.

Once the key is obtained, it will be enough to insert it into the API requests: according to the provider’s instructions, the key can be inserted in the query, in the header, or as a cookie.

{ANCHOR LEV=1}When to use API keys?{END_ANCHOR}

Used alone, API keys are not the most secure authentication system for API applications, because they allow identification of the calling app but not of the end user. In services that require a higher level of security, in fact, they are used in combination with other keys or more elaborate systems such as those using tokens or OAuth.

Since they allow identifying the app from which certain requests originate, API keys are very useful in the following areas:

• Security: they prevent unauthorized access to data and resources;
• Monitoring: they allow monitoring API usage by individual users (useful for billing purposes but also to resolve potential issues);
• Management: they allow applying a rate limit, i.e., limiting the number of API calls a client can make in a certain period of time, preventing abuse and security risks;
• Process automation: as an immutable element of one’s API ecosystem, the key allows automating requests and generating usage statistics.

Authentication via API key and token

API keys are a fundamental element of web application security, as they allow controlling access to data and monitoring software usage. On the other hand, API keys can end up being shared with third parties and are therefore not the most secure form of authentication and authorization for an application.

In the architecture of Openapi services, API keys are used to generate a token that allows access to one or more resources for a specific period of time. The API key, in this sense, ensures that each client can access only the services for which they have authorization, but also allows monitoring the activity of individual applications—providing essential data for delivering an increasingly efficient and personalized service.