What's an API key?

Understand authentication tokens and use them safely

⏱ Est. ~4 min

01 · Read

JSONPlaceholder doesn't require authentication — it's open to everyone. But most real APIs do. They give you an API key: a secret string that identifies you.

API keys exist for three reasons:

1. Rate limiting — prevent abuse (you get N requests per day) 2. Billing — track usage on paid plans 3. Authorization — restrict private data to authorized users

You attach the key to every request, usually in a header.

💡 Picture thisAn API key is your hotel keycard. The hotel knows who you are, which rooms you can enter, and when it expires. Without it, the door stays locked. Using someone else's keycard is impersonation.

Key points

API keys are secret — treat them like passwords
Don't commit API keys to Git (add .env to .gitignore)
If a key leaks by accident, rotate (regenerate) it immediately
Always read keys from environment variables in code: process.env.API_KEY

02 · Code example

Here's what API key authentication looks like in curl. The Bearer token is by far the most common pattern.

Bearer token (standard pattern)

curl https://api.example.com/data \
  -H "Authorization: Bearer YOUR_API_KEY"

The -H flag adds a header to the request. Authorization: Bearer followed by the key is the standard way APIs verify identity. Some older APIs use other patterns (query params, custom headers), but the Bearer token is the one you'll see most often.

03 · Checklist

API key safety rules — check each one you'll follow.

Don't paste API keys into public chats, GitHub issues, or Slack messages
Add .env to .gitignore before creating the .env file
Put keys in environment variables, never hardcoded in code
When creating an API key, use the minimum permissions needed

04 · Fill in the blank

An API key should never be committed to _____.

05 · Quiz

You accidentally committed an API key to a public GitHub repo. What's the very first thing you should do?

Delete the commit with git reset --hard
Make the repo private
Delete the .env file from the repo
Immediately rotate (regenerate) the API key in the provider's dashboard

Other lessons in this chapter

⚠ The full interactive experience needs JavaScript. Please enable it and reload.

※ This is an independent Traditional Chinese teaching project — not an official Anthropic product. Claude™ is a trademark of Anthropic, PBC.