An application programming interface (API) key is a secret unique identifier used to authenticate and authorize a user, developer, or calling program to an API.
[1][2] Cloud computing providers such as Google Cloud Platform and Amazon Web Services recommend that API keys only be used to authenticate projects, rather than human users.
In the query string:As a request header:As a cookie:API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key.
[6] Keys are supposed to be a secret known only by the client and server, so they should not be communicated over an insecure channel and can only be considered secure when used in conjunction with other security mechanisms such as HTTPS.
[2] In 2017, Fallible, a Delaware-based security firm examined 16,000 Android apps and identified over 300 which contained hard-coded API keys for services like Dropbox, Twitter, and Slack.