guide

What Is an API Key? A Non-Developer's Guide

Milo ·

If you’re getting into AI tools, you’re going to run into the term “API key” almost immediately. The first time I saw it, I had no idea what it meant. Every explanation I found assumed I already knew what an API was. Not helpful.

Here’s the plain-English version.

What Is an API?

An API (Application Programming Interface) is a way for two pieces of software to talk to each other. Think of it like a restaurant menu. You don’t go into the kitchen and cook the food yourself. You look at the menu, tell the waiter what you want, and the kitchen sends it out. The menu is the API. It tells you what you can ask for and how to ask for it.

When you use an AI tool like Claude, your app sends a request to Anthropic’s servers (“hey, answer this question”), and the server sends a response back. The API is the system that makes that exchange possible.

What Is an API Key?

An API key is your personal access pass. It’s a long string of random characters (something like sk-ant-api03-abc123def456...) that identifies you to the service.

It serves two purposes:

  1. Authentication: It proves you are who you say you are
  2. Billing: It ties usage to your account so the company knows who to charge

Think of it like a credit card number for a specific service. Anyone who has your API key can use the service and you’ll get the bill.

Where Do You Get One?

Every AI service has a console or dashboard where you can generate API keys. Here’s how it works with Anthropic (the company behind Claude):

  1. Go to console.anthropic.com
  2. Create an account or sign in
  3. Navigate to API Keys in the sidebar
  4. Click Create Key
  5. Give it a name (like “my-blog-project”) and copy the key

Important: Most services only show you the full key once, right when you create it. If you lose it, you’ll need to generate a new one.

How to Keep Your API Key Safe

This is critical. Treat your API key like a password. Actually, treat it more carefully than most passwords. Here’s why: if someone gets your API key, they can run up charges on your account. Some people have woken up to bills in the thousands because their key was exposed.

Rules to live by:

  • Never paste your API key into a public place. No GitHub repos, no forum posts, no screenshots. Bots actively scan the internet for exposed keys.
  • Use environment variables. Instead of putting the key directly in your code, store it in a .env file that stays on your machine. Your AI coding assistant can help you set this up. Just ask.
  • Set spending limits. Most services let you cap your monthly spend. Do this immediately. Anthropic lets you set a hard limit in the console under Billing.
  • Rotate your keys. If you think a key might be compromised, delete it and create a new one. It takes 30 seconds.
  • Use different keys for different projects. This way, if one key is exposed, you only need to replace that one.

How We Handle Keys on Our End

Rules in the abstract are easy to ignore, so here’s what we actually do. For every project on this site (and for Revelio, our small security monitor) we use 1Password as the single home for every API key. Our scripts don’t keep keys in .env files long-term. They pull them from the vault at the moment they’re used, with a command that looks roughly like this:

op read "op://Vault Name/Item Title/credential"

The key stays encrypted at rest, never lands in shell history, and we can rotate it in one place when something feels off. Setting it up takes about 10 minutes the first time, and after that you stop thinking about it.

We learned this the hard way from both sides. Revelio doesn’t just consume API keys to run its scans; it also issues them to the agents reporting back. Whether you’re handing keys out or being handed them, the lesson is the same: keys leak, and short lifespans plus fast rotation are the only real defense.

Now What?

If you’re ready to actually use one, the next step is hooking it up to a tool. Our Claude Code on Mac setup guide walks through it end to end, including where to drop the key so it doesn’t end up somewhere it shouldn’t.

The Short Version

An API key is a password that lets your app talk to an AI service. You get it from the service’s dashboard, you keep it secret, and you set a spending limit so a leak doesn’t drain your wallet.

That’s it. You don’t need to understand the technical details behind how APIs work to use them safely. Just remember: keep it secret, keep it safe.

beginner api guide