Glossary Term Authentication & APIs

API key

A secret string used to identify your app when it talks to an API or third-party service.

#security #api

When this matters

API keys matter the moment your app connects to Stripe, OpenAI, Resend, Supabase, or pretty much any hosted service. If you are wiring tools together with AI and copy-pasting setup steps, this is usually one of the first secrets you will handle.

Small example

A server route usually reads the key from an environment variable and sends it in a request header. The browser should not contain the secret.

const response = await fetch('https://api.example.com/messages', {
  headers: {
    'x-api-key': process.env.MY_SERVICE_API_KEY!,
  },
});

Common mistake or lookout

Treating an API key like a harmless config value. A key shipped to the browser, committed to Git, or dropped into a public demo can be abused fast, and some services will happily bill you for the privilege.

Why this matters for vibe coders

Vibe coders move fast, which means secrets often get pasted into client code, screenshots, or Git commits without much thought. Understanding API keys is how you avoid accidentally publishing your service credentials to the whole internet.

Where this shows up on the site

Tool review

OpenAI Codex

OpenAI's coding agent for reading, editing, running, reviewing, and shipping code across local and cloud workflows. Available through the Codex app, CLI, IDE extension, web/cloud tasks, and team automation paths.

Comparison

Codex vs Claude Code for Vibe Coders

These are two of the strongest coding agents for working in real repositories. Claude Code is an excellent choice when deep, context-heavy agent work is the priority. Codex is my better default for most builders because it gives you a flexible path across local work, cloud delegation, and code review without forcing the whole workflow into one shape.

Related tool or page

collection

Secure Your App

Start here if you need to lock down secrets, auth, and production risk.

Related glossary terms

CORS

Rules that control which websites can talk to your server.

Shared tags: security

CSRF

An attack that tricks a logged‑in user into making a request they didn’t intend.

Shared tags: security

Endpoint

An endpoint is the address for one API capability. Different endpoints do different jobs, even when they belong to the same service.

Shared tags: api