What is an API key? Why do we need them?

An API Key is a unique identification number given to each user ( app ) who wants to make API calls ( requests ). It is used to track number of requests made by a particular app to avoid Denial of Service attack and also for premium features. eg: only 500 calls per day for free account and to make more calls you have to subscribe to their premium account.

---

A normal website can authenticate a user by requesting a username and password. An API frequently is not that interactive. In order to identify authenticated users the user is pre-authenticated and issued an API key. The API requests include the API key, usually in a request header.

 

Just like passwords, API keys should be rotated to prevent a compromised key from being abused. Some systems have a way to issue API keys on demand. These keys may only be valid for hours or minutes, limiting the exposure of a compromised key.

 

https://www.quora.com/What-is-an-API-key-Why-do-we-need-them

 

API keys are for projects, authentication is for users

Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0. The main distinction between these two is:

• API keys identify the calling project — the application or site — making the call to an API.
• Authentication tokens identify a user — the person — that is using the app or site.

When to use API keys

An API may restrict some or all of its methods to require API keys. It makes sense to do this if:

• You do want to block anonymous traffic. API keys identify an application's traffic for the API producer, in case the application developer needs to work with the API producer to debug an issue or show their application's usage.
• You want to control the number of calls made to your API.
• You want to identify usage patterns in your API's traffic. You can see application usage in APIs & services.
• You want to filter logs by API key.

API keys cannot be used for:

• Identifying individual users — API keys don't identify users, they identify projects.
• Secure authorization.
• Identifying the creators of a project.

https://cloud.google.com/endpoints/docs/openapi/when-why-api-key

API 키를 사용하는 이유 및 조건  |  Cloud Endpoints 및 OpenAPI  |  Google Cloud