Browse Definitions :
Definition

API key

An API key is a unique identifier used to connect to, or perform, an API call. API stands for application programming interface. API's are used for software applications to send and receive data. API's can also connect one program to another, to share functionality. In order to connect to or communicate with another API, an API key is necessary. API keys provide an initial step for cloud API security.

The API key process is similar to user authentication for web applications and mobile devices -- the API call starts with one API calling another, and then passing the API key to gain access.

The API key signifies that the connecting API has a "password" or key and a defined set of access rights. For example, an application that sends medical forms to patients would need to connect its own API to that of an application that stores medical forms. The owner of the medical forms API assigns an API key, which allows the first application to access medical forms and nothing else.

When to use API keys

API keys are used for authenticating a calling program to another API -- typically to confirm a project is authorized to connect. Project authorization rules are created and managed by the API owner or source. API keys may serve as an initial authentication or security step by passing a secure authentication token.

An API key may also be embedded in the software of nearly any type of coding language -- such as JavaScript, or Python. The coding language used will depend on the API the user is trying to connect to. For example, if a user wants to connect an application to use Google Maps, the user will need to get an API key from Google to access their maps API, using JavaScript. API key creation depends on which host the user is connecting to: Google Cloud Platform, Amazon Web Services (AWS), Microsoft Azure, or any number of other API creators or owners.

API keys are not used to access private data. API keys are typically used for web and mobile applications that don't have an attached back-end server. When a back-end server does not exist, the mobile or web apps rely on getting their data by connecting to APIs. The API key establishes the connection and may track access rates for billing purposes depending on the rules of the API owner.

Getting and using an API key

The use of an API key depends on the API being connected to. The rules around receiving a specific API key are up to the developer or publisher of the API. The steps below represent general steps common to most API providers:

  • Access the cloud-based console of the provider that owns the desired API. For example, if a user wants to use Google maps, they should connect to the Google Cloud Platform Console.
  • Select a project already offered or create a new project to request the API key.
  • The user should designate the desired API they want to connect to and define how they plan on using it. This establishes the specific access rights of the key which need to be accessed.
  • The user should restrict the use of their API key to ensure it remains secure. There are generally two types of restrictions: Application and API.
    • Application restriction means only a website (HTTP), a web server with an IP address or a mobile app (Android or iOS) is allowed to connect using the key.
    • API restriction limits the API key's use to only a defined set of APIs or SDKs. Requests to connect fail if undefined APIs or SDKs attempt to use the key to connect.

How do different platforms use API keys?

API keys are useful when connecting applications with each other to share data, or to connect to other systems that provide the data needed without creating the need for coding.

For example, to use Amazon Web Services to manage back-end servers, there's a series of APIs users can connect to on the cloud to perform those functions. Like many providers, simple API connections are free or require an agreement and a fee.

API usage is widespread and increasing, especially as device and application connectivity grows. For example, Google Maps is everywhere. Almost every mobile or web application uses Google Maps to provide address and location data. Where would food delivery businesses be without Google Maps?

API connections exist between government entities, healthcare systems and providers -- basically anywhere data sources can be shared securely.  Healthcare systems are able to share and exchange patient data currently because of API connections. Nearly any software development business has a library of APIs available, some available for free and some that require agreements and fees. API keys foster the connections that keep lives, devices and data linked together.

This was last updated in April 2020

Continue Reading About API key

SearchCompliance
  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines ...

  • smart contract

    A smart contract is a decentralized application that executes business logic in response to events.

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

SearchSecurity
  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • private key

    A private key, also known as a secret key, is a variable in cryptography that is used with an algorithm to encrypt and decrypt ...

  • DOS (disk operating system)

    A DOS, or disk operating system, is an operating system that runs from a disk drive. The term can also refer to a particular ...

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • change control

    Change control is a systematic approach to managing all changes made to a product or system.

  • disaster recovery (DR)

    Disaster recovery (DR) is an organization's ability to respond to and recover from an event that affects business operations.

SearchStorage
  • NOR flash memory

    NOR flash memory is one of two types of non-volatile storage technologies.

  • What is RAID 6?

    RAID 6, also known as double-parity RAID, uses two parity stripes on each disk. It allows for two disk failures within the RAID ...

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

Close