Definition
An API key is a unique string of characters that identifies an application or user when it makes a request to an API. Think of it as a password for software-to-software communication. When your website or application needs to connect to a third-party service — a payment processor, a mapping service, an email platform — it includes the API key with each request to prove it is authorised to access that service. API keys are typically generated in the provider’s dashboard and stored securely in your application’s configuration.
Why It Matters
API keys control who can access a service and how much they can use it. They allow service providers to track usage, enforce rate limits, and revoke access if something goes wrong. For a business owner, understanding API keys matters because they appear in almost every integration your systems rely on. Mishandling them — publishing them in public code repositories, sharing them over email, or failing to rotate them periodically — can give unauthorised parties access to your paid services, customer data, or internal systems. Treating API keys with the same care as passwords is a basic but essential security practice.
Example
Your website displays an interactive map powered by a mapping service. To use the mapping API, your developer generates an API key in the provider’s dashboard and adds it to your website’s configuration. The key is restricted so it only works from your domain. If a competitor tries to copy the key and use it on their site, the mapping service rejects the request because the domain does not match. Meanwhile, the provider’s dashboard shows you exactly how many map views your site generates each month.