API Authentication: API Keys, Bearer Tokens and Why They Matter

~11 min read

Authentication proves WHO is calling an API. API keys and Bearer tokens are the two forms you'll see constantly — both are secrets that must never leak, since anyone holding them can act as you.

API Authentication: API Keys, Bearer Tokens and Why They Matter is a Pro topic

Sign in, then upgrade to Pro or Power to unlock this topic and the full AI Engineering curriculum.

Key points

  • Authentication proves WHO is calling an API; authorization then decides what that identified caller is allowed to do
  • An API key is a unique secret string, typically sent with every request via an HTTP header, that identifies you to the provider
  • A Bearer token (Authorization: Bearer <token>) means whoever HOLDS the token is treated as authenticated — often how API keys are actually transmitted
  • An API key/token is exactly as sensitive as a password — anyone who obtains it can act as you, running up your bill or accessing your data
  • Never hardcode keys in source code or frontend JavaScript; load from environment variables/secrets managers, and revoke immediately if one leaks