What Is an API Key? A Simple Service Credential
An API key is a string passed with a request that identifies and authenticates the caller to a service, usually with little or no built-in scoping.
An API key is the simplest form of machine credential: a string you send with each request so the service knows who is calling. Many third-party services, from email providers to analytics, hand you an API key. They are easy to use but blunt instruments, often granting broad access with no expiry, which makes them risky in pipelines.
How an API key works
The service generates a key tied to your account. You include it in requests, often as a header or query parameter. The service looks it up and grants access. There is usually no user interaction and no token exchange; the key itself is the credential.
API keys versus tokens
- API keys are typically long-lived and static.
- Access tokens are usually short-lived and scoped.
- OAuth and OIDC flows add consent and expiry that raw keys lack.
The risk with API keys
Because keys are often long-lived and broadly scoped, a leaked key can be abused for a long time before anyone notices. Keys in query strings can land in server logs and browser history. They demand the same care as a password.
API keys in CI/CD
Pipelines call third-party services that authenticate with API keys: deploy targets, monitoring, package registries. Store each key as an encrypted secret, never in code, and rotate it on a schedule so a forgotten leak cannot live forever.
Reducing exposure
Use the most restricted key a service offers, set expiry where supported, and rotate regularly. Prefer services that support scoped, short-lived tokens or OIDC over a single all-powerful key. Watch logs to be sure keys are masked.
API keys and the runner
An API key flows through the runner during a job. On ephemeral, isolated runners (such as Latchkey managed runners), the key vanishes with the environment when the job finishes, so it cannot leak into later jobs.
Key takeaways
- An API key is a static string that authenticates a caller to a service.
- Keys are often long-lived and broadly scoped, so a leak can persist undetected.
- Store keys as encrypted secrets, rotate them, and prefer scoped tokens where possible.