Identity GlossaryLast updated July 17, 2026

API Key

A neutral definition of an API key: the static token that authenticates programmatic access, and why "static" is exactly what makes it hard to govern.

What Is an API Key?

An API key is a static token used to authenticate programmatic access to an application programming interface, a string of characters an application includes with each request to prove it’s allowed to call that API. Unlike a human login, there’s typically no username, no MFA prompt, and often no expiration: whoever holds the key can make the calls it authorizes.

That simplicity is also the risk. API keys get copied into config files, environment variables, CI/CD pipelines, and sometimes committed directly into source code. Once a key exists in more than one place, which is common, there’s no single system that can say with confidence everywhere it’s currently stored or used.

Because a key is just a string, revoking access after an employee leaves or a vendor relationship ends requires someone to actually know the key exists and rotate it. API keys created for a one-off integration years ago routinely stay valid long after anyone remembers issuing them, which is why they’re a recurring finding in breach post-mortems: not because the technology is unusual, but because no one owns the cleanup.

Share

What API Key Management Actually Requires

Managing API key risk depends on four capabilities most inventories lack by default.

1

Discovery Across Storage Locations

Finding keys wherever they actually live: config files, environment variables, secrets managers, CI/CD systems, and (unfortunately) source control.

2

Usage Correlation

Connecting a key back to the application, owner, or team that issued it and actively relies on it.

3

Staleness & Scope Review

Flagging keys that haven’t been used recently, or that carry broader permissions than the integration they were created for actually needs.

4

Rotation & Revocation

Actually retiring a key once it’s confirmed unused, rather than leaving it valid indefinitely because no one is certain it’s safe to remove.

Frequently Asked Questions

See the Identity System of Record in Action

Hydden discovers, reconciles, and continuously governs every identity (human, machine, and agentic) across your enterprise.

© 2026 Hydden Inc. All rights reserved.Privacy PolicyTerms of Service