Portmint Lighthouse
CoursesHow Apps Talk: APIs, Plainly

Keys — Who Gets In

Pip Lesson 5 · taught by Pip

Some kitchens cook for anyone who walks up. Most want to know who's ordering first. That's where the API key comes in — a small private password that proves which app is placing the order.

Why a kitchen wants to know you

Imagine a busy restaurant that only serves members. Before it cooks, it checks your member card. Why bother? Three calm reasons, and they're the same for APIs.

To keep count. The service wants to know how much each app is ordering, so it can keep things fair and, often, send a bill.

To stop trouble. If one app starts behaving badly — ordering ten thousand times a minute — the service can spot exactly who and shut just that card off, without punishing everyone else.

To offer different plans. A free card might get a small number of orders a day; a paid card gets more. The key tells the kitchen which plan you're on.

What a key actually is

An API key is just a long, random string of letters and numbers that belongs to you. It might look like this:

a7f3k9-2c8b1e-44dd90-x6q2

That's it — a unique scribble no one else has. When you sign up for an API (usually free, usually a two-minute form), the service hands you your key. From then on, you clip it to every order so the kitchen knows it's you.

Where does it ride? Usually in a header — remember those side notes from the request lesson. Tucking it in a header keeps it tidy and a little more private. Sometimes, though, it rides as a parameter after the ?, like any other note:

https://api.weather-example.com/today?city=Boston&key=a7f3k9-2c8b1e-44dd90-x6q2

Either way, the idea is the same: the key travels with the request and says "this order is from me." (A key in the address is easier to leak — addresses get written down in logs and browser history — so when a service offers both, the header is the calmer choice.)

A key is a secret — treat it like one

Here's the one rule that matters most, so I'll say it plainly: your API key is a password. Guard it like one.

If someone copies your key, they can place orders as you — run up your bill, get you blocked, spend your daily allowance. The card has your name on it; whoever holds it spends your credit.

So, a few quiet habits:

  • Don't paste your key into a public place — not a forum post, not a screenshot, not a public web page where others can read it.
  • Don't put it in code you share with the world, like a public project online. People scan for leaked keys.
  • If a key leaks, retire it. Every service lets you cancel a key and get a fresh one. Do it the moment you suspect it's out. Cancelling a leaked card costs you nothing; leaving it active can cost you plenty.

Think of it exactly like the PIN on your bank card. You'd never tape that to the card or read it aloud in a crowd. Same care, same reasons. 🔦

Not every API needs one

Worth a calm note: plenty of small, public APIs ask for no key at all — open kitchens that serve anyone. Those are perfect for practice, which is why we've used them so far. But the moment an API can cost money or carries real limits, expect a key, and treat it with respect.

Your turn

Pick a weather or maps API you're curious about and find its "get an API key" or "sign up" page. Read what it says about its free plan — how many orders you get, and what it costs if you go over. You don't have to sign up yet.

Just notice the trade: the key is how the kitchen keeps things fair. Which leads straight to the next lesson — the polite limit on how often you're allowed to ask.

Stuck or curious?

Ask Pip about this lesson — tap the porthole bottom-right.