An API key is a unique identifier used to connect to, or perform, an API call. API stands for application programming interface. API's are used for software applications to send and receive data. API's can also connect one program to another, to share functionality. In order to connect to or communicate with another API, an API key is necessary. API keys provide an initial step for cloud API security.
The API key process is similar to user authentication for web applications and mobile devices -- the API call starts with one API calling another, and then passing the API key to gain access.
The API key signifies that the connecting API has a "password" or key and a defined set of access rights. For example, an application that sends medical forms to patients would need to connect its own API to that of an application that stores medical forms. The owner of the medical forms API assigns an API key, which allows the first application to access medical forms and nothing else.
When to use API keys
API keys are used for authenticating a calling program to another API -- typically to confirm a project is authorized to connect. Project authorization rules are created and managed by the API owner or source. API keys may serve as an initial authentication or security step by passing a secure authentication token.
API keys are not used to access private data. API keys are typically used for web and mobile applications that don't have an attached back-end server. When a back-end server does not exist, the mobile or web apps rely on getting their data by connecting to APIs. The API key establishes the connection and may track access rates for billing purposes depending on the rules of the API owner.
Getting and using an API key
The use of an API key depends on the API being connected to. The rules around receiving a specific API key are up to the developer or publisher of the API. The steps below represent general steps common to most API providers:
- Access the cloud-based console of the provider that owns the desired API. For example, if a user wants to use Google maps, they should connect to the Google Cloud Platform Console.
- Select a project already offered or create a new project to request the API key.
- The user should designate the desired API they want to connect to and define how they plan on using it. This establishes the specific access rights of the key which need to be accessed.
- The user should restrict the use of their API key to ensure it remains secure. There are generally two types of restrictions: Application and API.
- Application restriction means only a website (HTTP), a web server with an IP address or a mobile app (Android or iOS) is allowed to connect using the key.
- API restriction limits the API key's use to only a defined set of APIs or SDKs. Requests to connect fail if undefined APIs or SDKs attempt to use the key to connect.
How do different platforms use API keys?
API keys are useful when connecting applications with each other to share data, or to connect to other systems that provide the data needed without creating the need for coding.
For example, to use Amazon Web Services to manage back-end servers, there's a series of APIs users can connect to on the cloud to perform those functions. Like many providers, simple API connections are free or require an agreement and a fee.
API usage is widespread and increasing, especially as device and application connectivity grows. For example, Google Maps is everywhere. Almost every mobile or web application uses Google Maps to provide address and location data. Where would food delivery businesses be without Google Maps?
API connections exist between government entities, healthcare systems and providers -- basically anywhere data sources can be shared securely. Healthcare systems are able to share and exchange patient data currently because of API connections. Nearly any software development business has a library of APIs available, some available for free and some that require agreements and fees. API keys foster the connections that keep lives, devices and data linked together.