Skip to content

Getting Started with API Keys

Learn how to create, manage, and secure API keys for your applications with this beginner-friendly guide.

Apidly TeamJanuary 10, 2026
api-keysauthenticationgetting-started

What Are API Keys?

An API key is a unique identifier used to authenticate requests to an API. Think of it as a password that identifies your application when it communicates with an API service. API keys allow providers to track usage, enforce rate limits, and control access to their resources.

Step 1: Generate Your API Key

Most API providers, including Apidly, allow you to generate keys through a dashboard or management console.

Using the Apidly Dashboard

  1. Sign in to your Apidly account
  2. Navigate to Settings > API Keys
  3. Click Create New Key
  4. Give your key a descriptive name (for example, "Production Backend" or "Staging Environment")
  5. Select the permissions and scopes the key should have
  6. Click Generate and copy the key immediately

Important: Most platforms only display the full key once at creation time. Store it securely before closing the dialog.

Step 2: Store Your Key Securely

Never hardcode API keys directly in your source code. Instead, use environment variables or a secrets manager.

Using Environment Variables

Create a .env file in your project root:

APIDLY_API_KEY=your_api_key_here

Add .env to your .gitignore file to prevent accidental commits:

# .gitignore
.env
.env.local
.env.production

Using a Secrets Manager

For production environments, consider using a dedicated secrets manager such as:

  • AWS Secrets Manager for AWS-hosted applications
  • Google Cloud Secret Manager for GCP workloads
  • HashiCorp Vault for multi-cloud or on-premises deployments

These tools provide encryption at rest, access auditing, and automatic rotation capabilities.

Step 3: Use Your Key in Requests

API keys are typically sent in one of three ways:

As a Request Header (Recommended)

GET /v1/endpoints HTTP/1.1
Host: api.apidly.com
Authorization: Bearer your_api_key_here

As a Query Parameter

GET /v1/endpoints?api_key=your_api_key_here

This method is less secure because the key may appear in server logs and browser history. Use it only when headers are not an option.

As Part of the Request Body

json
{
  "api_key": "your_api_key_here",
  "data": { ... }
}

This approach is occasionally used for POST requests but is uncommon.

Step 4: Manage Key Permissions

Follow the principle of least privilege when assigning permissions to your API keys.

  • Read-only keys for applications that only need to fetch data
  • Write keys for applications that create or update resources
  • Admin keys only for management tools that need full access

Review and audit your key permissions regularly to ensure they still match your application's requirements.

Step 5: Rotate Your Keys

Regular key rotation reduces the window of exposure if a key is compromised.

Rotation Best Practices

  1. Generate a new key before revoking the old one
  2. Update all services and environments to use the new key
  3. Verify that all systems are functioning correctly with the new key
  4. Revoke the old key only after confirming the transition is complete
  5. Aim to rotate keys at least every 90 days

Common Mistakes to Avoid

  • Committing keys to version control. Even if you delete the commit later, the key remains in the git history.
  • Sharing keys across environments. Use separate keys for development, staging, and production.
  • Using a single key for everything. Create dedicated keys per service or application to limit blast radius.
  • Ignoring key expiration. Set expiration dates and monitor for upcoming expirations.

Conclusion

API keys are the simplest form of API authentication and a great starting point for securing your applications. By generating keys through a trusted dashboard, storing them securely, transmitting them via headers, and rotating them regularly, you establish a solid foundation for API security.