An API key is a secret token that a client sends with each request so an API can identify who is calling it. It works like a password for software rather than for a human user. When you sign up for a service, that service generates an API key and expects you to include it in HTTP headers or query parameters. The backend application server then checks the key against its records to decide whether to allow the request. Because an API key often maps to a single project or system, it is commonly used for simple authentication and tracking usage.
Why it matters
If an attacker steals your API key, they can often act as your system and consume paid API resources or access sensitive data. This is why keys must be kept out of public code and stored in environment variables or secret stores instead of hard coded in a repository. Many platforms use API keys together with rate limiting so they can see who is generating traffic and enforce fair usage.
How it works
When a request hits an endpoint, middleware in the application server checks the API key and, if valid, attaches information about the caller to the request context. That context can include the plan level, permissions, or remaining quota, which are then used by business logic and rate limit checks. You can see how this appears in practice in the lesson Handling Secrets and Configuration.