What is an API key, and how to use one without leaking it

An API key is a long random string that authenticates your code to a paid service. When you call OpenAI, Anthropic, Resend, Stripe, or any modern API, the request includes a header like Authorization: Bearer sk-... — that sk-... is the key. Whoever holds it can spend money in your account. Treat it like a credit card number.

What an API key actually is

Mechanically, it's just a long string (usually 40-100 characters) that the provider generates and you copy into your app. The key:

Identifies which account is making the call (so the provider knows whose bill to charge)
Often carries scope/permissions (read-only, full access, project-scoped, etc.)
Can be revoked or rotated when compromised

Different services have different prefixes that hint at the type:

OpenAI: sk-proj-... (project keys) or sk-... (legacy user keys)
Anthropic: sk-ant-api03-...
Resend: re_...
Stripe: sk_live_... or sk_test_...
Supabase: a JWT or a sbp_... PAT

The prefix is a hint to humans; the secret is the whole string.

How to actually use one

The basic flow:

Go to the provider's dashboard (platform.openai.com, console.anthropic.com, etc.)
Create an API key. Copy it. You usually only see it once — providers store the hash, not the original.
Put it in your app. Never hardcode in source.
Use it via the SDK (Python, TypeScript) or a raw HTTP call.

A minimal example with Anthropic in TypeScript:

import Anthropic from "@anthropic-ai/sdk";

const client = new Anthropic({
  apiKey: process.env.ANTHROPIC_API_KEY, // never hardcoded
});

const msg = await client.messages.create({
  model: "claude-sonnet-4",
  max_tokens: 1024,
  messages: [{ role: "user", content: "Hello" }],
});

The key sits in an environment variable — process.env.ANTHROPIC_API_KEY — which is set in .env.local for development and in your hosting provider's env vars (Vercel, Render, Cloudflare, etc.) for production.

How keys actually leak

Real incidents that hit real people:

Committed to a public repo. You hardcoded a key, committed, pushed to GitHub. Bots scrape new commits within minutes. Within an hour someone is running your model on their workload. Cost: hundreds to thousands of dollars before you notice.

Shipped in client-side code. You put OPENAI_API_KEY in a Next.js "use client" file or a React Native bundle. Anyone can open browser DevTools and read it. This is how individual indie devs lose $5,000 in a weekend.

Pasted in a screenshot. You took a screenshot of your terminal showing the env vars and posted it in Discord asking for help. The key is now in someone's screenshot folder, then training data for the next AI scraper.

Slack and email DMs. "Here's my API key, can you check why it's not working?" Your Slack now has it indexed. If your Slack workspace is breached six months later, the key is exposed.

How to use API keys safely

Four rules that catch 95% of leaks.

1. Never put the key in source code or a client bundle. Always .env.local (gitignored) for development. Always platform env vars for production. Server-side only — keys must never reach the user's browser.

2. .gitignore your .env* files. And double-check before your first commit. If you accidentally commit one, just rotating the key isn't enough — git history will still leak it. Use git filter-repo to scrub.

3. Use scoped, limited keys. OpenAI, Anthropic, and most major APIs let you create restricted keys: spend limits, project scope, read-only. For development, never use your full-access master key — make a $5/month-cap dev key. If it leaks, the damage stops at $5.

4. Set spending alerts and limits in the dashboard. OpenAI lets you set a hard monthly cap. Anthropic similar. Configure these before you put the key in your app, not after the bill comes in.

What to do if a key leaks

Fast steps in order:

Revoke the key immediately in the provider's dashboard. Every minute counts.
Rotate to a new key. Update .env.local and your hosting platform.
Check usage logs. Most providers show recent calls. Look for spikes you didn't make.
Contact support if charges accrued. Most major providers will reverse charges from a clearly-leaked key if you act fast and have your story straight (commit hash, screenshot of revoke, etc.).
Audit how it leaked. Was it git? Client bundle? Slack? Fix the process so it doesn't happen again next week.

Server vs serverless considerations

In modern web apps, the question "where does the API key live" depends on your runtime:

Server-rendered pages, server actions, API routes in Next.js / Remix / SvelteKit: keys live in env vars, used server-side. Safe.
Client components, client-side fetch (browser JS): never. The key would ship to the browser. If the browser needs to talk to OpenAI, proxy through your own server with auth.
Serverless functions (Vercel, Cloudflare, AWS Lambda): same as server — env vars, never bundled into client code.
Mobile apps (iOS, Android): keys in the app binary can be extracted with tools. Always proxy through your own backend.

The rule: if a user can see the code that calls the API, they can extract the key. Plan accordingly.

When NOT to worry about API key security

If you're learning and only using a $5 spend-cap test key on your own laptop, the worst-case is you buy yourself a coffee's worth of someone else's calls. Don't let security paranoia stop you from experimenting. The day you ship to real users or use a real-money key, then tighten up.