What is an API key — and why a leak hits your wallet

You're wiring an AI model or a service into your project, and the instructions say: "paste your API key here." You copy a long string like sk-proj-a8f... and don't think twice. But here's the thing: this key is not your account password. It's a pass that tells the service "do what's asked, and send me the bill." If it leaks, you pay.

What an API key actually is

When your program wants to talk to someone else's service through an API, the service needs to know who's knocking. The API key is the answer to "who are you." A long random string the service issued to you personally. You attach it to every request, the service recognizes you and does the job — generates an image, replies with text, sends an email.

Think of an office keycard. At the door you don't say your name — you tap the card. The turnstile sees the card and lets you in. The card doesn't know that you are you; it only knows that this card is allowed in. Same with a key: it doesn't know you're the one holding it. It knows the holder is allowed.

How it works in a request

Technically the key usually rides in a request header. Most often:

• a header Authorization: Bearer sk-proj-a8f... — the most common form;
• sometimes a dedicated header like x-api-key: ...;
• rarely — as a parameter right in the URL (frowned upon: URLs leak into logs easily).

The service on the other side takes the key and checks its database: whose is it, is it alive, has the limit been hit. If all good — it runs. If the key is deleted or you've hit your request ceiling — it errors. So the key is both an ID badge and a usage meter: the service counts your spend by it.

Why a key is about money, not identity

Here's the unpleasant bit beginners learn late. If someone sees your key, they send requests in your name, and the service treats that as legitimate. For paid APIs (and with AI services almost everything is pay-per-use), that means: a stranger burns your balance. There are stories of a key left in open code racking up hundreds of dollars overnight.

So two rules worth learning right away:

• Key — not in code, not in git. Drop it into a file and push to GitHub, and bots find it in minutes — they scan public repos for exactly this. Keep the key in environment variables (a .env file), and add .env to .gitignore. Full walkthrough in the how to store keys safely guide.
• A key can be revoked. Exposed it by accident? Don't panic. Go to the service dashboard, delete the old key, create a new one. The old one stops working instantly. It's called rotation, and it's nothing to fear.

Where you'll run into it

Almost anywhere you plug in an external service. Use an AI model via its API — you get a key. Add maps, payments, email sending, a database — nearly each has its own key.

A useful habit: use different keys for different projects. Then if one leaks, you revoke only that one and don't break the rest. Many services also let you restrict a key — read-only access, or a monthly spend ceiling. Set the ceiling right away: that's your insurance against the overnight-hundreds story.

FAQ: Is an API key the same as a password?

No. A password is for logging you in as a person (often plus a second factor). A key is for a program's access to a service in your name, usually with no second factor. So keys are treated even more strictly: steal a password and you still need the SMS code; steal a key and you need nothing more.

FAQ: What do I do if a key leaks anyway?

Revoke it in the dashboard and create a new one — that's a minute. Then check it isn't still in your code or git history, and remove it. If it was a paid key, look at the last few hours of usage: someone may already have used it.

FAQ: Why is the key so long and scary?

So it can't be guessed. If it were short, it'd be brute-forced. A long random string is like a very long password generated for you: practically impossible to guess.