FeaturesHow It WorksPricingIntegrationsBlogGlossary
Log InGet Started Free
apisecurityauthenticationbackendintegration

API Key

An API key is a unique alphanumeric string used to authenticate requests to an API (Application Programming Interface). It identifies the calling application and grants access to the API's resources. API keys are among the most common authentication methods for web services, developer tools, and SaaS platform integrations.

How Does API Key Work?

An API key functions as a shared secret between a client and an API server. When you make a request to an API, you include the key in the request — typically in the Authorization header ("Authorization: Bearer sk_live_abc123") or as a query parameter. The API server looks up the key in its database, verifies it is valid and has the required permissions, and then processes the request.

API keys are generated as cryptographically random strings, making them practically impossible to guess. A well-designed API key system separates keys by permission scope (e.g., read-only vs. read-write keys, or keys scoped to specific resources) and supports key rotation so old keys can be revoked without disrupting all integrations simultaneously.

Unlike OAuth tokens, API keys do not expire automatically and are not tied to a user session. This makes them convenient for server-to-server communication and automated scripts, but risky if exposed in client-side JavaScript or public repositories. Most providers offer separate "publishable" (safe for client-side) and "secret" (server-side only) key types.

code example
// Correct: API key in Authorization header (server-side)
const response = await fetch('https://api.widgetjar.com/v1/widgets', {
  headers: {
    'Authorization': `Bearer ${process.env.WIDGETJAR_API_KEY}`,
    'Content-Type': 'application/json',
  },
});

// Storing API keys safely in .env files (never commit these)
// .env
WIDGETJAR_API_KEY=sk_live_abc123xyz789

// .gitignore — always ignore .env files
.env
.env.local
.env.production

// WRONG: Never expose secret API keys in client-side code
// fetch('/api/data', { headers: { 'X-API-Key': 'sk_live_abc123' } })

Why Use API Key?

When to use API keys: API keys are best for server-to-server integrations, CI/CD pipelines, and backend services where the key can be kept secret. They are simple to implement and understand, require no OAuth flow, and work well for machine-to-machine communication.

Security best practices: Never embed secret API keys in client-side JavaScript, mobile apps, or public repositories — attackers can extract and abuse them. Use environment variables or secret management services (like HashiCorp Vault or AWS Secrets Manager) to store keys. Implement the principle of least privilege: grant keys only the permissions they need. Set up usage monitoring and alerts for unusual API activity. Rotate keys regularly and immediately upon suspected compromise.

The WidgetJar Alternative

WidgetJar provides scoped API keys for every workspace, enabling you to programmatically create and update widgets, pull analytics data, or trigger webhook tests from your own backend. Publishable keys are safe to use in client-side contexts for read-only operations, while secret keys power your server-side automations — both accessible from your WidgetJar dashboard.

Try WidgetJar Free →

Related Terms

W

Webhook

A webhook is an HTTP callback that sends real-time data from one application to

J

JavaScript Widget

A JavaScript widget is a self-contained, interactive UI component that is embedd

E

Embed Code

Embed code is a snippet of HTML, JavaScript, or a combination of both that you c

← Back to Glossary