API Key
An API key is how a piece of code proves who it is — a password for your application, not for you. Treat it with the same secrecy, because anyone who has it can act as if they were your account.
Definition
An API key is a unique string of characters issued to an application, developer, or account that is used to identify and authenticate requests made to an API. It serves a similar function to a password, but is designed for programmatic, machine-to-machine use rather than a human logging in interactively through a browser.
When an application calls an API, it includes the key in the request — typically in an HTTP header or as a query parameter — and the receiving server verifies the key before processing anything further. This verification allows the server to identify who is making the call, apply the correct permissions and rate limits, log usage for billing or analytics purposes, and reject requests carrying an invalid, expired, or revoked key.
API Key vs Password vs OAuth Token
| Password | API Key | OAuth Token | |
|---|---|---|---|
| Used by | A human, via an interactive login form | An application, making automated requests | An application acting on behalf of a specific user |
| Typical lifespan | Long-lived until manually changed | Long-lived, often until manually revoked | Often short-lived, automatically expiring |
| Scope of access | Full account access | Typically the full access of the account that issued it | Usually limited to a specific, defined scope of permissions |
| Issued via | Account registration | Generated directly in account settings | A multi-step authorization flow (OAuth) |
Why API Keys Must Be Kept Secret
Because an API key typically carries the same level of access as the account that generated it, anyone who obtains a valid key can make requests, consume usage and rate limits, and potentially access or modify data exactly as if they were the legitimate account holder. There is no secondary verification step the way there often is for a stolen password protected by multi-factor authentication — the key alone is usually sufficient.
The most common way API keys leak:
- Hardcoded directly into client-side JavaScript that runs in a user's browser — viewable by anyone using browser developer tools
- Embedded in a public mobile app, recoverable through basic decompilation
- Accidentally committed to a public code repository, particularly common when a key is hardcoded rather than loaded from an environment variable or secrets manager
- Shared in plain text over chat, email, or a support ticket without any expectation of regeneration afterward
Best Practices for Handling API Keys
- Never embed a key in client-side code. Any request requiring a secret key should be made from a secure server-side environment, with the client-side application calling your own backend instead, which then makes the authenticated call to the third-party API using the key stored securely server-side.
- Use environment variables or a secrets manager. Avoid hardcoding keys directly into source files that might end up in version control.
- Regenerate a key immediately if it may have been exposed. Treat suspected exposure the same way you would treat a leaked password — assume it's compromised and rotate it without delay.
- Use the most restricted key or scope available for a given integration, if the platform supports issuing keys with limited permissions, rather than always using a key with full account access.
Using Your API Key in Cuttly
Your Cuttly API key is available in your account dashboard under the API settings section, and is included as a parameter in requests to Cuttly's REST API to authenticate calls for creating short links, retrieving click analytics, and managing account resources programmatically.
As with any API key, keep it private: include it only in secure, server-side requests, and never commit it to a public code repository or embed it directly in client-side JavaScript. Full setup instructions, including authentication examples, are available in Cuttly's API documentation.
Related Terms
FAQ
What is an API key?
A unique string of characters that identifies and authenticates an application or account when calling an API — functioning similarly to a password, but for programmatic rather than human, interactive use.
How is an API key different from a password or an OAuth token?
A password is for a human logging in interactively. An API key is for an application's automated requests. An OAuth token is typically shorter-lived and scoped to specific permissions, issued through a more complex authorization flow.
Why should an API key never be exposed in client-side code?
Client-side code can be inspected and extracted by anyone, instantly exposing the key. Since a key typically grants the same access as the account that issued it, exposure means anyone can act as that account.
How do I find and use my API key in Cuttly?
Available in your Cuttly account dashboard under API settings, used to authenticate requests to Cuttly's REST API. Keep it private and only use it in secure, server-side requests.
- ← Encyclopedia Index
- API & Integrations
- API (REST)
- API Rate Limits
- Webhook
- Idempotency in API Requests
- Integrations: Zapier / Make
- In Cuttly
- API Tool
- Plans & Pricing
URL Shortener
Cuttly simplifies link management by offering a user-friendly URL shortener that includes branded short links. Boost your brand’s growth with short, memorable, and engaging links, while seamlessly managing and tracking your links using Cuttly's versatile platform. Generate branded short links, create customizable QR codes, build link-in-bio pages, and run interactive surveys—all in one place.
Cuttly More Than Just a URL Shortener
Cuttly is a comprehensive, ever-evolving platform for link shortening that combines innovation and user-friendliness to deliver a seamless experience in managing and shortening URLs.
