What is an API key?

An API key is an alphanumeric string that API developers use to control access to their APIs. An API is a communication mechanism that allows data exchange between two software modules. Once you create an API for your module, other application developers can call your API to integrate your functionality into their code. For example, you could develop a module that takes a list of items as input and returns a list of stores where you can purchase the items at the lowest price. An ecommerce application could then use your API to generate a list of daily grocery deals for their customers. As the API creator, you use API keys to restrict and monitor your API access. The API key identifies authorized API usage so you can maintain, manage, and monetize your APIs more efficiently.

Read about APIs »

What are the use cases for API keys?

Software developers use API keys to manage how the APIs they create are accessed. API keys contribute to the development of modern cloud applications in several ways. 

Monitor API usage

API providers use API keys to track usage and manage API consumption, particularly for commercial applications. They bill users for the computing resources the API consumes.

As an API provider, you can limit access to the API's services with unique API keys. By allowing only legitimate traffic to pass through, you can optimize your API’s resource utilization and bandwidth capacity. You can also analyze the usage statistics of each key to adjust the quotas of different plans. 

Troubleshoot API integrations

Cloud applications may experience technical issues because of the APIs they use. Software developers use API keys to detect abnormal data patterns and match API traffic to their respective providers. This way, they can identify and isolate the specific API that prevents an application from behaving correctly. 

Identify projects

Software applications exchange sensitive data with external services through an API. API keys serve as a project authorization mechanism to regulate usage by permitted projects. To use an API, the project must present the correct API credentials to access the abstracted software functions. It’s important to note that API keys do not authenticate specific users. Instead they broadly identify the organization associated with a specific key.

How does an API key work?

The API key consists of randomly generated characters of alphabets and numbers. You associate a specific API key with a specific API client. Since API usage is essentially one software module talking to another, the keys are associated with different software modules or applications that want to talk to your API. 

When an application sends API requests, the process works as follows:

  1. The API server validates the requestor's authenticity with the unique API key
  2. If the API key doesn't match any of the permitted ones, the server declines the API call and sends a rejection message
  3. If the API key matches, the server fulfills the request and returns the expected response

This way, API keys allow the API server to identify the origin of each API call. The server can then perform subsequent validations to authorize access to the API's data and services.

Limiting API calls

API providers can use the API key to regulate varying degrees of access to their API services. Upon validating a request, the API server can check some parameters before allowing further access to its services. 

Extent of service

The server determines the extent of services it could grant to the requesting application. For example, some API keys permit the requestor to add, delete, and read information from the API's data storage. Others might limit API calls to reading information only. 

Choice of functions

The server determines and imposes the scope of the API call to customize their API services. For example, you can use API keys to limit an ecommerce application to searching product data in specific countries. You can also associate specific API keys to certain database parametric filters, such as books and apparel. 

Number of calls

API providers also use API keys to tightly regulate API access. Some providers apply time or request limits to their APIs. In such cases, the client application can only use the API for the stipulated duration or up to a capped number daily. Once the limits are exceeded, the server declines any requests from the associated API keys.

What’s the difference between an API key and API token?

An API key is a string of unique identifiers primarily intended to identify application traffic from API clients. API keys are typically associated with specific servers the calling application is deployed on. When the application makes an API request, the server identifies the calling application by the API key.  

In contrast, an API token is a string of codes containing comprehensive data that identifies a specific user. API tokens also carry the scope of access granted to a specific user. This allows the server to both authenticate requests of the calling user and validate the extent of API usage. For example, a user can use a single sign-on token to access a group of APIs. 

Generating an API key is more straightforward because of its limited role in user authorization. Conversely, more restrictions and procedures exist when you grant API tokens because they carry identification and authentication data.

On Amazon Web Services (AWS), API tokens are also called authentication tokens or security tokens. Developers use IAM permissions, a Lambda authorizer, or an Amazon Cognito user pool to create API tokens and manage access to your APIs.

What are API key best practices?

There are some best practices to keep in mind when you use API keys.

Avoid using API keys for user authentication. API keys are not intended to regulate user access. Similarly, don't include confidential information in the API keys because it might be visible during transmission. 

Don't embed API keys directly in your source code or repository. If you forget to remove them, they might be exposed to the public when you publish your application. 

Delete API keys when they are no longer in use. Consider adding expiration to the keys for more robust API security.

How can AWS help with your API key management?

Amazon Web Services (AWS) offers Amazon API Gateway for your API key management needs.

You can use API Gateway to create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud.

After you create, test, and deploy your APIs, you can use API Gateway usage plans to make them available as product offerings for your customers. You can configure usage plans and API keys to allow your customers to access selected APIs. And you can begin throttling requests to those APIs based on defined limits and quotas.

Get started with API key management on AWS by creating an account today

Next Steps on AWS

Sign up for a free account

Instant get access to the AWS Free Tier.

Sign up 
Start building in the console

Get started building in the AWS management console.

Sign in