FAQ resource for What is an API key and how is it different from a token?.
Answer
An API key is a static secret string that identifies and authenticates a calling application or project, usually passed in a header and tied to a set of permissions and quotas. Unlike short-lived OAuth access tokens, API keys typically do not expire on their own and identify an application rather than an end user, which makes them simple but riskier if leaked. They suit server-to-server integrations and usage metering, but should be scoped narrowly, rotated regularly, and never embedded in client-side code. For user-specific authorization with delegated scopes and expiry, OAuth tokens are the better fit.