What is API key?

An API key is a long, unguessable token a client sends with each request to prove who it is and that it is allowed to call the service. Compared with OAuth, keys are simpler, no redirect flows or token refresh, which makes them popular for server-to-server calls, scripts, CI jobs, and headless MCP clients. That simplicity is also their weakness: a key is a bearer credential, so anyone who obtains it can act as the owner until it is revoked. Good practice mitigates this on several fronts. Keys should be scoped to the minimum permissions the caller needs (least privilege) and ideally tied to specific resources, shown to the user only once at creation and stored server-side as a salted hash (for example argon2id) so a database leak does not expose usable secrets, and made easy to rotate and revoke. Keys are typically passed in an `Authorization` header or a dedicated header, never in URLs where they leak into logs. In MCP, remote servers may accept an API key via a configured header as an alternative to OAuth, and clients keep it in environment variables rather than hard-coding it. Because keys grant standing access, they pair with rate limiting and audit logging so abuse is bounded and traceable.