Skip to main content

API Key Basics & Safety

What are API keys?

An API Key is basically a long, random string of letters/numbers/symbols that is used as a login for a computer to access a service. 

For example, to log into Gmail you would traditionally provide:

  1. Your email address
  2. Your password
  3. (optionally) A MFA code or some other "extra check"

In comparison to your traditional login above, the API key is both an identifier (like your username) and a secret (like your password), so treat it at least as securely as you do your own password, so:

  1. Don't share the API key with anyone, just enter it directly into the system that needs it
  2. Don't record the API key in a non-secure location EG: saving it in a word document on the company network
  3. Always check where you are entering the key (EG: ensure it's 'The BOS' and not a dodgy similar-looking site designed to capture your api keys).

Re-using API keys

You should never use an API key for more than one use if possible.

For example if you have an API key for Xero that you use with stripe to send payments to Xero, and you want another service to integrate with your Xero account, then you should generate a second API key to use with that, rather than using the same API key. This is for multiple reasons:

  1. You can set different permissions per API key (on most services), so the "Stripe to Xero" key in the example above could be a "receive invoices only" key, while some other service might have a "full access to payroll information" key
  2. In the event of a breach (EG: your "Stripe to Xero" key is discovered by an evil villian), you can just change that one key rather than having to update every key on every service. 
  3. You have an 'audit trail' if something goes wrong. EG: If invoices are wrongly getting deleted you can check which key is deleting them to identify the culprit. 

If the service you are using only allows you to generate a single API key and you need to use it to integrate with multiple services then you will have no choice but to reuse the key. Fortunately this rarely happens nowadays. 

Naming API keys

Most services let you name API keys when you are making them, you should name them appropriately EG: "Stripe Invoice Sending Integration" rather than "API"