“Welcome back to Fancy Club! May I see your membership card, please? Thank you very much, enjoy your visit.”
Just a bouncer at an exclusive event or club, software that you’re trying to gain access to wants to make sure you’re allowed in. Non-developers are used to this idea. They’ve been entering passwords to access their desktops for decades.
But API keys are a little different and have a broader range of functions and uses than mere passwords. For one thing, they’re not used by individual users.
It’s helpful to know what API keys are and what they can do, because not all APIs use them in the same way. There are times an API may not ask for an API key, and whether or not the developers have chosen to require them depends on the context of their project.
Get to know the different uses of API keys, and you also learn a lot about some of the foundations of modern cybersecurity. That’s interesting, but more importantly, useful.
An API key is a piece of identifying code that is used to identify a caller to an application programming interface (API).
An API is the connection between two pieces of software. Specifically, one piece of software will use an API call to request some kind of information from another.
When this happens, the second piece of software will check the API key supplied by the first. It might do this to see if the software making the request is authorized to do so. If it isn’t, the request will be denied. The API key can also be used to identify the specific caller – meaning the software, not the end user.
The decision to use an API key in a particular way generally belongs to the developers of the software receiving the API call, not the software that will be making requests. As a result, if you’re developing a digital product and want to request information from another via an API, it’s not your choice whether to use one.
For example, if your eCommerce delivery fulfillment application needs to use the Google Maps API for its map functionality, Google won’t give you the choice on whether to include an API key with your requests.
That said, if you’re developing a digital product that others will be sending requests to, you do have some freedom when it comes to how – and whether – to use API keys.
If that describes your situation, you may want to use an API key under the following circumstances:
However, there are important things an API key can’t do.
API keys are not all-in-one access and data solutions. Areas where API keys may not be able help include:
Regarding that final point, it’s worth spending a moment more on API security.
Short answer; nope.
Long answer; because most of the time API keys can be accessed by clients, it’s not difficult to steal one. If your API security efforts relied solely on API keys, this would be a problem, as they don’t expire. The project owner needs to revoke or regenerate the key, in this event. That would, of course, mean that the project owner would need to realize the key had been stolen.
While it’s true that some of the restrictions that can be added to keys mitigate this risk, there are far more effective ways to ensure security, such as Firebase Authentication or Auth0.
API keys are so common today partly because of the rapid rise of Jamstack – an architecture that’s revolutionizing modern development. While this approach – which combines JavaScript, API, and Markup – isn’t the best solution for every project, its flexibility and modularity are key advantages and it will work for many projects.
With APIs a component of Jamstack, API keys have also proliferated.
This article has only revealed the tip of the iceberg when it comes to APIs, Jamstack, and software development more broadly.
If you’re ready to get your development project moving forward, why not drop us a line? We’d be excited to hear all about your project, your ambitions, and your goals. Who knows? As specialist digital product developers, we might be able to help you succeed.
