API keys are the front door to your service. Yet 40% of organizations have experienced an API security incident in the past two years, and leaked API keys remain the leading cause of cloud breaches. This guide covers everything you need to know about managing API keys securely in 2026.
Whether you're building an API for the first time or hardening an existing system, proper key management is the foundation of API security. We'll cover generation, storage, rotation, rate limiting, monitoring, and the common mistakes that lead to breaches.
What Is an API Key?
An API key is a unique identifier used to authenticate requests to an API. Unlike user credentials (username/password), API keys identify the application making the request rather than the user. They serve three primary purposes:
- Authentication — identifying who is making the request
- Authorization — determining what resources they can access
- Usage tracking — monitoring and rate limiting API consumption
API Key Generation Best Practices
Use Cryptographically Secure Random Generation
Never generate API keys from predictable data like timestamps, user IDs, or sequential numbers. Use cryptographically secure random number generators:
// ✅ Good: Cryptographically secure key generation
const generateApiKey = () => {
const bytes = crypto.getRandomValues(new Uint8Array(32))
return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('')
}
// ❌ Bad: Predictable pattern
const badKey = `api_${userId}_${Date.now()}` // Never do thisUse Prefixed Keys for Easy Identification
Add a prefix to your API keys so they can be easily identified in logs, code reviews, and secret scanning tools:
// Format: to_live_xxxxxxxxxxxxxxxx
// to = product identifier
// live = environment (live/test/staging)
// xxx = 32-char random hex
const key = `to_live_${generateApiKey()}`This pattern allows automated tools like GitHub's secret scanning to detect leaked keys and alert you immediately.
Secure Storage
Never Store Raw API Keys
Store only the hash of the API key in your database. When a request comes in, hash the provided key and compare:
// On key creation — store hash, return raw key to user ONCE
const rawKey = generateApiKey()
const keyHash = await crypto.subtle.digest('SHA-256',
new TextEncoder().encode(rawKey)
)
await db.insert({ keyHash, customerId, permissions })
// On validation — hash incoming key and lookup
const incomingHash = await crypto.subtle.digest('SHA-256',
new TextEncoder().encode(requestKey)
)
const record = await db.findByHash(incomingHash)Client-Side Storage Rules
- Never commit API keys to version control
- Never embed keys in client-side JavaScript or mobile apps
- Use environment variables or secret management services
- Use .gitignore for .env files and configure pre-commit hooks
Key Rotation Policies
API keys should be rotated regularly to limit the blast radius of a potential compromise:
Recommended Rotation Schedule
- Production keys: Rotate every 90 days
- Staging/test keys: Rotate every 30 days
- After personnel changes: Immediate rotation when team members leave
- After suspected compromise: Immediate revocation and rotation
Zero-Downtime Rotation
Support multiple active keys per customer to enable zero-downtime rotation:
- Customer generates a new key (old key still works)
- Customer updates their application to use the new key
- Customer verifies the new key works in production
- Customer revokes the old key
Rate Limiting and Abuse Prevention
Every API key should have configurable rate limits based on the customer's plan:
| Plan | Requests/Min | Requests/Day | Burst Limit |
|---|---|---|---|
| Free | 10 | 1,000 | 20 |
| Starter | 60 | 10,000 | 100 |
| Professional | 300 | 100,000 | 500 |
| Enterprise | 1,000 | Unlimited | 2,000 |
Return standard HTTP 429 (Too Many Requests) responses with clear headers:
// Rate limit response headers
{
"X-RateLimit-Limit": "60",
"X-RateLimit-Remaining": "0",
"X-RateLimit-Reset": "1710460800",
"Retry-After": "30"
}Monitoring and Anomaly Detection
Monitor API key usage for patterns that indicate abuse or compromise:
- Geographic anomalies — requests from unexpected countries
- Volume spikes — sudden increase in request rate
- Error rate spikes — excessive 4xx or 5xx responses
- After-hours usage — abnormal activity during non-business hours
- Endpoint patterns — accessing sensitive endpoints not typical for the key's scope
Scoping and Permissions
Apply the principle of least privilege to API keys. Each key should have only the permissions it needs:
- Read-only keys — for analytics dashboards and monitoring
- Write keys — for creating and modifying resources
- Admin keys — for account management (use sparingly)
- Resource-scoped keys — limited to specific products, projects, or domains
Common API Key Security Mistakes
- Hardcoding keys in source code — use environment variables instead
- Using one key for everything — create scoped keys for different services
- Never rotating keys — set up automated rotation reminders
- No revocation mechanism — always support immediate key revocation
- Logging raw keys — mask keys in logs (show only last 4 characters)
- No rate limiting — every key should have usage limits
- Sending keys in URLs — use Authorization headers instead
Secure API Key Management Built In
Traffic Orchestrator provides enterprise-grade API key management out of the box — scoped permissions, automatic rotation reminders, rate limiting, and usage analytics.
Start Free TodayShip licensing in your next release
5 licenses, 500 validations/month, full API access. Set up in under 5 minutes — no credit card required.