API Keys Authentication

API keys are the simplest way to secure API endpoints. They're static tokens that clients send with each request, ideal for server-to-server communication and simple integrations.

How API Keys Work

API keys authenticate requests without involving users:

from fastapi import FastAPI, HTTPException, Header

app = FastAPI()

API_KEY = "super-secret-key-12345"

@app.get("/data")
async def get_data(x_api_key: str = Header()):
    if x_api_key != API_KEY:
        raise HTTPException(status_code=401, detail="Invalid API key")
    return {"data": "secret information"}

Storing API Keys Securely

Never hardcode keys in your application:

import os
from dotenv import load_dotenv

load_dotenv()
API_KEY = os.getenv("API_KEY")

@app.get("/secure")
async def secure_endpoint(x_api_key: str = Header()):
    if x_api_key != API_KEY:
        raise HTTPException(status_code=401, detail="Invalid key")
    return {"message": "authenticated"}

API Key Validation

from fastapi import Security, HTTPException

async def verify_api_key(api_key: str = Header()):
    if api_key != API_KEY:
        raise HTTPException(status_code=403, detail="Invalid API key")
    return api_key

@app.get("/protected")
async def protected(key: str = Security(verify_api_key)):
    return {"message": "access granted"}

Common Patterns and Best Practices

• ✅ Rotate API keys regularly

• ✅ Use environment variables, never hardcode

• ✅ Implement rate limiting per API key

• ✅ Log API key usage for audit trails

• ✅ Use HTTPS only in production

• ✅ Provide key expiration mechanisms

• ✅ Allow clients to regenerate keys

• ✅ Never expose keys in error messages

Real-World Usage

API keys are ideal for:

• Third-party integrations

• Mobile applications

• Service-to-service authentication

• Simple programmatic access

• Webhook verification