Glossary Term Authentication & APIs

API key

A secret string used to identify your app when it talks to an API or third-party service.

#security #api

When this matters

API keys matter the moment your app connects to Stripe, OpenAI, Resend, Supabase, or pretty much any hosted service. If you are wiring tools together with AI and copy-pasting setup steps, this is usually one of the first secrets you will handle.

Small example

A server route usually reads the key from an environment variable and sends it in a request header. The browser should not contain the secret.

const response = await fetch('https://api.example.com/messages', {
  headers: {
    'x-api-key': process.env.MY_SERVICE_API_KEY!,
  },
});

Common mistake or lookout

Treating an API key like a harmless config value. A key shipped to the browser, committed to Git, or dropped into a public demo can be abused fast, and some services will happily bill you for the privilege.

Why this matters for vibe coders

Vibe coders move fast, which means secrets often get pasted into client code, screenshots, or Git commits without much thought. Understanding API keys is how you avoid accidentally publishing your service credentials to the whole internet.

Related tool or page

collection

Secure Your App

Start here if you need to lock down secrets, auth, and production risk.

Related glossary terms

CORS

Rules that control which websites can talk to your server.

Shared tags: security

CSRF

An attack that tricks a logged‑in user into making a request they didn’t intend.

Shared tags: security

Endpoint

An endpoint is the address for one API capability. Different endpoints do different jobs, even when they belong to the same service.

Shared tags: api