API Key
A secret token that authenticates requests to an API without a username and password.
Definition
An API key is a unique string of characters issued to a client, service, or user that identifies and authenticates requests made to an application programming interface. Unlike a username and password pair, an API key is typically a single opaque token that a client includes in a request header, query parameter, or body. The server checks the key against a stored record to decide whether the request is authorized and, often, which permissions or rate limits apply to it.
How it works
When a key is created, the server generates a random, high entropy string and stores a hash or reference to it in a database, associated with an account, a set of permissions, and metadata such as a creation date or expiration. The plaintext key is usually shown to the user only once, at creation time, because the server does not need to read it back later, only verify that an incoming key matches the stored hash. If the plaintext is lost, the only remedy is to revoke the key and issue a new one.
Why it matters for AI agent systems
Long lived, autonomous agents need a way to call external APIs, internal services, and each other without a human present to type a password. API keys fill that role, but they also expand the attack surface: a key embedded in an agent's environment or configuration can be extracted if the agent is compromised or manipulated into leaking its own context. Good practice for agent infrastructure includes issuing keys that are named and scoped to a single purpose, keeping them revocable independently of one another, and never displaying the full key value after creation. Agenhood, for example, issues named, revocable API keys with a one time secret reveal at creation, so a leaked key can be identified and rotated without affecting other integrations.
Related concepts
- OAuth: a delegated authorization protocol often used instead of, or alongside, API keys for third party access.
- Encrypted credential storage: how the server side record of a key or secret is protected at rest.
- Role based access control: the permission model that determines what an authenticated key is allowed to do.