IDSync — identity software buyer platform
Run Stack Finder

Machine Identity

API Key

An API key is a long, opaque string an application sends with each request to authenticate to an API — simple to implement but weak compared to OAuth, mTLS, or workload identity for high-value APIs.

Last reviewed 5/30/2026

Key points

  • Long-lived, bearer credential
  • Easy to leak (GitHub, logs, frontend bundles)
  • No built-in expiry, scopes, or rotation
  • Acceptable for low-risk APIs; replace with OAuth/OIDC for sensitive ones
  • A leading cause of cloud breaches when leaked

What it is

An API key is a static, opaque string used to identify and authenticate a caller to an API. It's the simplest possible auth mechanism — and the easiest to misuse.

How it works

The API issues a key (typically 32+ random characters). The caller sends it on each request via Authorization: Bearer <key> or a custom header. The API looks it up, checks status and rate limits, and authorizes.

When buyers care

  • Developer-facing APIs where simplicity matters
  • Internal service-to-service calls inside a trusted network
  • Webhooks where signatures + a shared secret are common

Risks

  • Keys leak via GitHub commits, logs, frontend code, screenshots
  • No expiry — leaked keys stay valid for years
  • Often over-scoped (one key, full account access)
  • Rotation is operationally painful, so it's rarely done

Modern alternatives

  • OAuth 2.0 for user-context access and scoped third-party access
  • mTLS for service-to-service in zero-trust networks
  • Workload identity (IAM roles, OIDC federation) for cloud and CI/CD callers
  • Signed requests (AWS SigV4-style) when bearer leakage is the main concern

FAQ

Can API keys be made safe?

Mitigate the worst risks with: scoped keys, short rotation cycles, prefix-based key types so they can be auto-revoked when leaked (sk_live_...), and runtime secret-scanning. Better: replace with short-lived OAuth tokens.