API Key
A secret credential string used to authenticate a calling application to an API, granting it access to that service's resources.
In detail
An API key is a long random string (often 32 to 64 characters) that acts as a password for machine-to-machine authentication. The calling application includes the key in the HTTP request header or query string, and the API service validates it and grants access. API keys differ from OAuth tokens in that they typically represent the application rather than a specific user, and they do not expire unless explicitly rotated. Keys are used by AI providers (Anthropic, OpenAI), cloud platforms (AWS, GCP), payment processors (Stripe) and most SaaS APIs. A leaked API key is a credential leak: the holder can consume your quota, access your data and incur charges.
Why it matters for Australian business
API keys are the most commonly leaked credential type in vibe-coded Australian applications. AI generators frequently hardcode keys directly into client-side JavaScript files, environment files that get committed to public git repositories, or build outputs. Veracode's 2025 GenAI Code Security Report identifies credential exposure as one of the leading vulnerability patterns. We scan for leaked keys on every audit and replace them with environment-variable patterns and secret manager integrations.