[{"data":1,"prerenderedAt":302},["ShallowReactive",2],{"blog-glossary/api-key":3},{"id":4,"title":5,"body":6,"category":277,"date":278,"dateModified":279,"description":280,"draft":281,"extension":282,"faq":283,"featured":281,"headerVariant":287,"image":288,"keywords":288,"meta":289,"navigation":290,"ogDescription":291,"ogTitle":288,"path":292,"readTime":293,"schemaOrg":294,"schemaType":295,"seo":296,"sitemap":297,"stem":298,"tags":299,"twitterCard":300,"__hash__":301},"blog/blog/glossary/api-key.md","What is an API Key? Plain English Security Guide",{"type":7,"value":8,"toc":261},"minimark",[9,16,21,24,27,31,34,37,66,70,73,87,96,100,105,108,115,119,127,131,134,160,164,167,171,208,230,249],[10,11,12],"tldr",{},[13,14,15],"p",{},"An API key is a secret code that identifies your app when it talks to external services like Stripe, OpenAI, or Supabase. Think of it like a password for your software. If someone gets your API key, they can use (and abuse) those services as if they were you. Never put API keys in your code. Store them in environment variables instead.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"When your app needs to talk to another service (like processing a payment through Stripe or getting an AI response from OpenAI), it needs to prove who it is. The API key is that proof.",[13,25,26],{},"Imagine walking into a private club. The bouncer asks for your membership card. The API key is that membership card for your software.",[17,28,30],{"id":29},"why-api-keys-matter-for-security","Why API Keys Matter for Security",[13,32,33],{},"According to GitGuardian's 2024 report, over 12.8 million new secrets (including API keys) were exposed in public GitHub repositories. The average cost of a data breach involving credentials is $4.5 million according to IBM's 2024 Cost of a Data Breach Report.",[13,35,36],{},"When API keys are exposed:",[38,39,40,48,54,60],"ul",{},[41,42,43,47],"li",{},[44,45,46],"strong",{},"Financial damage:"," Attackers can run up your bills (crypto mining on AWS, mass API calls to OpenAI)",[41,49,50,53],{},[44,51,52],{},"Data access:"," They might access your database or customer data",[41,55,56,59],{},[44,57,58],{},"Service abuse:"," Your accounts can be banned for terms of service violations",[41,61,62,65],{},[44,63,64],{},"Reputation harm:"," Customer trust is hard to rebuild after a breach",[17,67,69],{"id":68},"public-vs-secret-keys","Public vs Secret Keys",[13,71,72],{},"Many services give you two types of keys:",[38,74,75,81],{},[41,76,77,80],{},[44,78,79],{},"Public/Publishable keys"," (like Stripe's pk_live_...): Can be used in frontend code because they have limited permissions",[41,82,83,86],{},[44,84,85],{},"Secret keys"," (like Stripe's sk_live_...): Have full access and must only be used on the server side, never exposed to browsers",[88,89,90],"warning-box",{},[13,91,92,95],{},[44,93,94],{},"Common mistake:"," Using your secret key in frontend JavaScript. This exposes it to anyone who views your page source. Secret keys belong on your server only.",[17,97,99],{"id":98},"how-to-protect-your-api-keys","How to Protect Your API Keys",[101,102,104],"h3",{"id":103},"_1-use-environment-variables","1. Use Environment Variables",[13,106,107],{},"Instead of putting keys directly in your code, use environment variables:",[109,110,112],"prompt-box",{"title":111},"Using environment variable",[13,113,114],{},"const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);",[101,116,118],{"id":117},"_2-add-env-to-gitignore","2. Add .env to .gitignore",[13,120,121,122,126],{},"Your ",[123,124,125],"code",{},".env"," file should never be committed to git.",[101,128,130],{"id":129},"_3-use-your-platforms-secrets-manager","3. Use Your Platform's Secrets Manager",[13,132,133],{},"When deploying, use your hosting platform's secure environment variable storage:",[38,135,136,142,148,154],{},[41,137,138,141],{},[44,139,140],{},"Vercel:"," Project Settings, Environment Variables",[41,143,144,147],{},[44,145,146],{},"Netlify:"," Site Settings, Environment Variables",[41,149,150,153],{},[44,151,152],{},"Railway:"," Project Variables",[41,155,156,159],{},[44,157,158],{},"Supabase:"," Project Settings, Vault",[101,161,163],{"id":162},"_4-enable-secret-scanning","4. Enable Secret Scanning",[13,165,166],{},"GitHub offers free secret scanning that alerts you if API keys are pushed to your repository. Enable it in your repository settings under Security.",[17,168,170],{"id":169},"what-to-do-if-your-key-is-exposed","What to Do If Your Key Is Exposed",[172,173,174,180,186,192,202],"ol",{},[41,175,176,179],{},[44,177,178],{},"Rotate immediately:"," Generate a new key in the service's dashboard",[41,181,182,185],{},[44,183,184],{},"Revoke the old key:"," Delete or deactivate the compromised key",[41,187,188,191],{},[44,189,190],{},"Check for damage:"," Review logs for unauthorized usage",[41,193,194,197,198,201],{},[44,195,196],{},"Find the leak:"," Use ",[123,199,200],{},"git log -p | grep \"sk_\""," to find where it was exposed",[41,203,204,207],{},[44,205,206],{},"Clean git history:"," Use BFG Repo-Cleaner or git filter-branch if committed",[209,210,211,218,224],"faq-section",{},[212,213,215],"faq-item",{"question":214},"What happens if my API key is exposed?",[13,216,217],{},"If your API key is exposed, attackers can use it to make requests on your behalf. This could result in unauthorized charges to your account, access to your data, or abuse of the service. You should immediately rotate (replace) any exposed API key.",[212,219,221],{"question":220},"Where should I store my API keys?",[13,222,223],{},"Store API keys in environment variables, not in your code. Use .env files locally (never commit them to git) and your hosting platform's secrets management in production (like Vercel Environment Variables or Railway Variables).",[212,225,227],{"question":226},"What is the difference between public and secret API keys?",[13,228,229],{},"Public (or publishable) keys can be used in frontend code because they have limited permissions. Secret keys have full access and must only be used on the server side, never exposed to browsers. For example, Stripe uses pk_ for public keys and sk_ for secret keys.",[231,232,233,239,244],"related-articles",{},[234,235],"related-card",{"description":236,"href":237,"title":238},"Where you should store API keys","/blog/glossary/environment-variable","Environment Variable",[234,240],{"description":241,"href":242,"title":243},"Verifying identity in your app","/blog/glossary/authentication","Authentication",[234,245],{"description":246,"href":247,"title":248},"Protecting data in transit and at rest","/blog/glossary/encryption","Encryption",[250,251,254,258],"cta-box",{"href":252,"label":253},"/","Start Free Scan",[17,255,257],{"id":256},"check-your-keys","Check Your Keys",[13,259,260],{},"Scan your codebase for exposed API keys and secrets.",{"title":262,"searchDepth":263,"depth":263,"links":264},"",2,[265,266,267,268,275,276],{"id":19,"depth":263,"text":20},{"id":29,"depth":263,"text":30},{"id":68,"depth":263,"text":69},{"id":98,"depth":263,"text":99,"children":269},[270,272,273,274],{"id":103,"depth":271,"text":104},3,{"id":117,"depth":271,"text":118},{"id":129,"depth":271,"text":130},{"id":162,"depth":271,"text":163},{"id":169,"depth":263,"text":170},{"id":256,"depth":263,"text":257},"glossary","2026-01-05","2026-02-09","Learn what API keys are, why they matter for security, and how to protect them. A simple explanation for non-technical founders building with AI tools.",false,"md",[284,285,286],{"question":214,"answer":217},{"question":220,"answer":223},{"question":226,"answer":229},"green",null,{},true,"Learn what API keys are, why they matter for security, and how to protect them.","/blog/glossary/api-key","4 min read","[object Object]","DefinedTerm",{"title":5,"description":280},{"loc":292},"blog/glossary/api-key",[],"summary_large_image","3MmRI5hLgoF23JAt5I4e-QTWE0qthuR0iuaZw0jqnJ4",1775843921560]