API Key Authentication
An authentication method where a unique key is issued to identify and authenticate API consumers, commonly used for server-to-server and third-party integrations.
Description
API Key Authentication is a simple authentication mechanism where a unique, long-lived string (the API key) is issued to a client and included in API requests to identify and authenticate the caller. API keys are typically sent via HTTP headers (Authorization: Bearer <key> or a custom header like X-API-Key), query parameters (discouraged due to logging exposure), or request bodies. They are most appropriate for server-to-server communication, third-party developer integrations, and service identification rather than end-user authentication.
API keys differ from OAuth tokens in that they typically identify an application or service account rather than a specific user, have longer lifetimes (months to years), and carry coarser-grained permissions. They are essentially shared secrets, which means their security depends entirely on proper storage and transmission. Keys must be generated with sufficient entropy (at least 256 bits), transmitted only over TLS, and stored hashed (SHA-256 or better) on the server side -- never in plaintext.
A well-designed API key system includes key prefixes for identification (e.g., 'sk_live_' for secret keys, 'pk_test_' for publishable test keys, following the Stripe pattern), scoping to limit what each key can access, rate limiting per key, usage analytics and logging, rotation capabilities without downtime, and immediate revocation support. Never embed API keys in client-side code, mobile apps, or version control. Use environment variables or secret management services (AWS Secrets Manager, HashiCorp Vault) for key storage.
Prompt Snippet
Implement API key authentication with prefixed keys (e.g., 'sk_live_', 'sk_test_') for environment identification. Generate keys using crypto.randomBytes(32) and display the full key only once at creation. Store a SHA-256 hash of the key in the database alongside metadata (name, scopes, created_at, last_used_at, expires_at). On each request, extract the key from the Authorization header, hash it, and look up the hash. Implement per-key rate limiting using Redis sliding window counters. Provide a key rotation endpoint that creates a new key and gives a grace period before the old key expires.
Tags
Related Terms
API Key Scoping & Rotation
The practice of limiting API key permissions to specific resources and operations, and regularly replacing keys to minimize the impact of compromise.
Rate-Limited Login Attempts
Restricting the number of authentication attempts a client can make within a time window to slow down automated attacks while preserving access for legitimate users.
Service-to-Service Auth (mTLS)
A transport-layer authentication mechanism where both client and server present X.509 certificates to mutually verify each other's identity, commonly used in service mesh architectures.
Scope-Based Permissions
A permission model where access tokens carry scope strings that define the specific actions and resources the token is authorized to access.
Token Revocation
The mechanism for invalidating issued access or refresh tokens before their natural expiration, typically triggered by logout, password change, or security events.