API Authentication: API Keys, Bearer Tokens and Why They Matter
~11 min read
Authentication proves WHO is calling an API. API keys and Bearer tokens are the two forms you'll see constantly — both are secrets that must never leak, since anyone holding them can act as you.
API Authentication: API Keys, Bearer Tokens and Why They Matter is a Pro topic
Sign in, then upgrade to Pro or Power to unlock this topic and the full AI Engineering curriculum.
Key points
- •Authentication proves WHO is calling an API; authorization then decides what that identified caller is allowed to do
- •An API key is a unique secret string, typically sent with every request via an HTTP header, that identifies you to the provider
- •A Bearer token (Authorization: Bearer <token>) means whoever HOLDS the token is treated as authenticated — often how API keys are actually transmitted
- •An API key/token is exactly as sensitive as a password — anyone who obtains it can act as you, running up your bill or accessing your data
- •Never hardcode keys in source code or frontend JavaScript; load from environment variables/secrets managers, and revoke immediately if one leaks