0:["$","$L2",null,{"buildId":"0v0Nh0cBm3YqdyVGt1eEA","assetPrefix":"","urlParts":["","lessons","what-is-an-api-key",""],"initialTree":["",{"children":["lessons",{"children":[["slug","what-is-an-api-key","d"],{"children":["__PAGE__?{\"slug\":\"what-is-an-api-key\"}",{}]}]}]},"$undefined","$undefined",true],"initialSeedData":["",{"children":["lessons",{"children":[["slug","what-is-an-api-key","d"],{"children":["__PAGE__",{},[["$L3",[["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"Article\",\"headline\":\"What is an API key\",\"description\":\"An API key is your identity. Leak it and someone else becomes you. Learn API key security for the CCA-F exam.\",\"datePublished\":\"2026-03-22\",\"dateModified\":\"2026-03-22\",\"image\":\"https://pencilprep.com/images/og-image.png\",\"author\":{\"@type\":\"Organization\",\"name\":\"PencilPrep\"},\"publisher\":{\"@type\":\"Organization\",\"name\":\"PencilPrep\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://pencilprep.com/images/logo-small.png\"}},\"mainEntityOfPage\":\"https://pencilprep.com/lessons/what-is-an-api-key/\",\"educationalLevel\":\"Beginner\",\"learningResourceType\":\"Interactive lesson\",\"isPartOf\":{\"@type\":\"Course\",\"name\":\"CCA-F Exam Prep\",\"provider\":{\"@type\":\"Organization\",\"name\":\"PencilPrep\"}}}"}}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"BreadcrumbList\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https://pencilprep.com/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Syllabus\",\"item\":\"https://pencilprep.com/syllabus/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What is an API key\",\"item\":\"https://pencilprep.com/lessons/what-is-an-api-key/\"}]}"}}],["$","$L4",null,{"lesson":{"id":"L1.04","slug":"what-is-an-api-key","title":"What is an API key","story_type":"PERSON","domain":"D2","domain_pct":"18%","minutes":10,"meta_title":"What is an API Key? CCA-F Exam Prep | PencilPrep","meta_description":"An API key is your identity. Leak it and someone else becomes you. Learn API key security for the CCA-F exam.","screens":[{"blocks":[{"type":"tag","color":"#dc2626","bg":"#fef2f2","text":"Real story"},{"type":"image","src":"/images/lessons/l1-04/0.jpg","desc":"A developer's laptop screen showing a GitHub commit. Line 847 is highlighted in red with a string that looks like 'AKIA3E...' (an AWS key). In the background, a phone buzzing with AWS billing alerts. Dark room, blue screen glow.","ratio":"16/9"},{"type":"heading","text":"Line 847. $14,000. 12 minutes."},{"type":"text","text":"A developer pushed code to GitHub. A public repository. 847 lines of Python. Somewhere in the middle, hardcoded: his AWS API key."},{"type":"text","text":"Bots that crawl GitHub for exposed keys found it in 12 minutes. They spun up cryptocurrency mining servers on his AWS account. By the time he woke up: $14,000 in charges."},{"type":"heading","text":"The key was his identity. Anyone with it was him. AWS couldn't tell the difference.","size":18}]},{"blocks":[{"type":"tag","color":"#a89878","bg":"#f5f0e8","text":"Before we explain"},{"type":"quiz","pre":"The developer's API key was a string of characters that told AWS \"this is a trusted user, allow access.\" The bots used that same string. AWS treated them as the developer. Same key = same identity.","question":"Based on this story, what is an API key?","options":[{"label":"A","text":"A secret string that identifies you to a service","correct":true,"feedback":"That's it. An API key is your identity. When you send a request to an API, the key tells the server who you are. It controls what you can access, tracks your usage, and determines who gets billed. Leak it and someone else becomes you."},{"label":"B","text":"A password for logging into a website","correct":false,"feedback":"Close, but different. A password is paired with a username and used by humans. An API key is used by software — no username needed. The key alone is the identity. That's why leaking it is worse than leaking a password."},{"label":"C","text":"An encryption key that secures data","correct":false,"feedback":"Encryption keys scramble data so others can't read it. API keys identify who's making the request. Different purpose entirely. HTTPS handles encryption (L1.02). API keys handle identity."},{"label":"D","text":"A license number for using software","correct":false,"feedback":"A license controls whether you can use software at all. An API key controls access to a specific API, tracks usage per request, and ties billing to a specific account. It's more like a credit card than a license."}]}]},{"blocks":[{"type":"tag","color":"#a89878","bg":"#f5f0e8","text":"One more"},{"type":"text","text":"The developer's key was in his code for weeks. He just forgot to remove it before pushing to GitHub. The key worked for anyone who had it."},{"type":"quiz","question":"Why couldn't AWS tell the difference between the developer and the bots?","options":[{"label":"A","text":"Because the API key IS the identity — whoever has the key is the user","correct":true,"feedback":"There's no second factor. No face scan. No \"are you really Dave?\" The key is the only proof of identity. AWS sees a valid key, AWS grants access. Doesn't matter who's holding it."},{"label":"B","text":"Because AWS has weak security systems","correct":false,"feedback":"AWS security is industry-leading. But the key was valid. AWS did exactly what it should — authenticate the key holder. The failure was the developer exposing the key, not AWS accepting it."},{"label":"C","text":"Because the bots hacked into AWS directly","correct":false,"feedback":"No hacking needed. They had the key. That's like saying someone 'broke into' your car when you left the keys on the hood. They just used the key. Legitimately, from AWS's perspective."}]}]},{"blocks":[{"type":"tag","color":"#059669","bg":"#f0fdf4","text":"The answer"},{"type":"heading","text":"An API key is a secret string that identifies you to a service."},{"type":"image","src":"/images/lessons/l1-04/1.jpg","desc":"A key card being swiped at a door. The card shows 'sk-ant-api03-abc...xyz'. The door is labeled 'Claude API'. A green light indicates access granted. Simple, clean illustration.","ratio":"16/9"},{"type":"text","text":"Three jobs. One string."},{"type":"list","title":"An API key does three things:","items":["Identity — tells the server who you are","Access control — determines what you're allowed to do","Billing — tracks usage and charges the right account"]},{"type":"text","text":"When you call Claude's API, your key is in the request header. Anthropic checks it. Valid key? Request processed. Invalid key? 401 Unauthorized. Stolen key? The thief gets in and you get the bill."}]},{"blocks":[{"type":"heading","text":"Where the key goes."},{"type":"text","text":"Your API key goes in the request header — metadata attached to the HTTP request. It never goes in the URL, never in the body, never in client-side code."},{"type":"code","language":"bash","text":"curl https://api.anthropic.com/v1/messages \\\n -H \"x-api-key: sk-ant-api03-YOUR-KEY-HERE\" \\\n -H \"content-type: application/json\" \\\n -d '{\"model\": \"claude-sonnet-4-20250514\", ...}'"},{"type":"text","text":"The x-api-key header carries your identity. HTTPS encrypts the entire request (including headers), so the key is protected in transit. But if you put the key in your code and push that code to GitHub..."},{"type":"heading","text":"HTTPS protects your key on the wire. It can't protect your key in a public repository.","size":18}]},{"blocks":[{"type":"tag","color":"#dc2626","bg":"#fef2f2","text":"The rules"},{"type":"heading","text":"API key security in four rules."},{"type":"columns","items":[{"label":"DO","bg":"#f0fdf4","border":"#86efac","labelColor":"#059669","textColor":"#065f46","html":"Store keys in environment variables
Use .env files (and .gitignore them)
Rotate keys regularly
Use separate keys for dev and production"},{"label":"NEVER","bg":"#fef2f2","border":"#fca5a5","labelColor":"#dc2626","textColor":"#991b1b","html":"Hardcode keys in source code
Commit keys to Git
Put keys in client-side code (browser JS)
Share keys over Slack, email, or chat"}]},{"type":"callout","label":"CCA-F exam connection","html":"Domain 2 tests API key management. The correct answer is always environment variables, never hardcoded strings. If an exam question shows a key in source code, that's the wrong answer. Every time."}]},{"blocks":[{"type":"tag","color":"#059669","bg":"#f0fdf4","text":"The right way"},{"type":"heading","text":"Environment variables: the key stays outside your code."},{"type":"text","text":"Instead of this (wrong):"},{"type":"code","language":"python","text":"# NEVER DO THIS\napi_key = \"sk-ant-api03-abc123xyz\""},{"type":"text","text":"Do this (right):"},{"type":"code","language":"python","text":"import os\napi_key = os.environ.get(\"ANTHROPIC_API_KEY\")"},{"type":"text","text":"The key lives in the environment (your server's configuration), not in your code. Push your code to GitHub? No key in it. Share your code with a colleague? No key in it."},{"type":"heading","text":"The code says WHERE to find the key. It never says WHAT the key is.","size":18}]},{"blocks":[{"type":"tag","color":"#a89878","bg":"#f5f0e8","text":"Check yourself"},{"type":"quiz","pre":"Your teammate sends you a Slack message: \"Hey, the API isn't working on staging. Here's my key so you can test: sk-ant-api03-7f8g9h...\"","question":"What's wrong with this?","options":[{"label":"A","text":"Nothing — sharing keys between teammates is normal","correct":false,"feedback":"API keys are like passwords. You don't share passwords over Slack. Slack messages are logged, searchable, and could be compromised. Every person should have their own key."},{"label":"B","text":"The key is now in Slack's servers, searchable, and tied to your teammate's billing","correct":true,"feedback":"Slack stores message history. That key is now in Slack's database, potentially forever. Anyone with access to that Slack workspace can find it. And if someone uses it, the charges go to your teammate's account. Revoke it. Generate a new one. Use environment variables."},{"label":"C","text":"The key should have been sent over email instead","correct":false,"feedback":"Email is equally insecure. Keys should never be transmitted in plain text over any messaging platform. Set up environment variables on the staging server. Share access, not keys."}]}]},{"blocks":[{"type":"tag","color":"#7c3aed","bg":"#f3f0ff","text":"New context — can you transfer?"},{"type":"text","text":"You're building a web app. The frontend (browser) needs to call Claude's API to generate text for the user."},{"type":"quiz","question":"Where should the API key live?","options":[{"label":"A","text":"In the JavaScript code that runs in the browser","correct":false,"feedback":"Browser code is visible to everyone. Right-click, View Source. Your API key is now public. Anyone visiting your website gets your key. This is the #1 API key mistake new developers make."},{"label":"B","text":"In a backend server that makes API calls on behalf of the frontend","correct":true,"feedback":"The frontend talks to YOUR server. Your server (with the key safely in environment variables) talks to Claude's API. The user never sees the key. The key never leaves your server. This is called a proxy pattern."},{"label":"C","text":"In a hidden HTML element on the page","correct":false,"feedback":"\"Hidden\" HTML is hidden visually, not actually hidden. Any developer tools window reveals it. This is security by obscurity — the kind that lasts about 30 seconds."},{"label":"D","text":"In the URL as a query parameter","correct":false,"feedback":"URLs are logged by browsers, servers, and ISPs. Your key would be in browser history, server logs, and potentially cached by proxies. Never put secrets in URLs."}]},{"type":"text","html":"The proxy pattern (backend holds the key, frontend never sees it) is tested on the CCA-F exam."}]},{"blocks":[{"type":"tag","color":"#7c3aed","bg":"#f3f0ff","text":"Exam pattern"},{"type":"heading","text":"How API keys appear on the CCA-F."},{"type":"text","text":"The exam presents scenarios where API keys are mishandled and asks you to identify the risk or the fix."},{"type":"columns","items":[{"label":"CORRECT","bg":"#f0fdf4","border":"#86efac","labelColor":"#059669","textColor":"#065f46","html":"Keys in environment variables, accessed server-side only. Never in client code, version control, or messaging platforms."},{"label":"TRAP","bg":"#fef2f2","border":"#fca5a5","labelColor":"#dc2626","textColor":"#991b1b","html":"\"Store the key in a config file\" — sounds right but if that config file gets committed to Git, it's the same as hardcoding. The answer is environment variables."}]},{"type":"text","html":"If the exam question involves a key anywhere a human or bot could read it, that's the wrong answer. The right answer always keeps the key outside the code, on the server, in environment variables."}]},{"blocks":[{"type":"success","label":"Key takeaway","heading":"An API key is your identity. It controls access, tracks usage, and determines billing. Leak it and someone else becomes you.","subtext":"Store keys in environment variables. Never in code, never in Git, never in Slack. The exam always picks environment variables."},{"type":"list","title":"You now know:","items":["An API key identifies you to a service (identity, access, billing)","Leaked keys = someone else becomes you (the $14,000 story)","Environment variables are the correct storage method","Never put keys in client-side code, Git repos, or messages","The proxy pattern: backend holds the key, frontend never sees it"]}]},{"blocks":[{"type":"tag","color":"#7c3aed","bg":"#f3f0ff","text":"The question you didn't think to ask"},{"type":"heading","text":"Your key gets you in. But what stops you from making 10,000 requests per second?"},{"type":"image","src":"/images/lessons/l1-04/4.jpg","desc":"A highway toll booth. One lane is open with a green light and no cars. The other lanes have red lights and massive queues. A sign reads: 'FREE TIER: 1 request/sec. PRO: 100/sec.' Clean illustration.","ratio":"16/9"},{"type":"text","text":"Your API key opens the door. But there's a speed limit once you're inside. Make too many requests and the server says 429: Too Many Requests."},{"type":"text","text":"Twitter went from free unlimited API access to 1,500 tweets per month. Overnight, thousands of apps died. Rate limiting isn't just protection -- it's a business model."},{"type":"heading","text":"That's next: What is rate limiting?","size":18},{"type":"sms","hook":"You finished L1.04. API keys: your identity. Environment variables: always.","cta":"Text me","subtext":"Get tomorrow's lesson by text — one concept, 10 minutes, straight to your phone."},{"type":"next_lesson","slug":"what-is-rate-limiting","title":"L1.05: What is rate limiting?","teaser":"Twitter killed thousands of apps overnight. One API change."}]}]}}]],null],null],null]},[null,["$","$L5",null,{"parallelRouterKey":"children","segmentPath":["children","lessons","children","$6","children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L7",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","notFoundStyles":"$undefined"}]],null]},[null,["$","$L5",null,{"parallelRouterKey":"children","segmentPath":["children","lessons","children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L7",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","notFoundStyles":"$undefined"}]],null]},[[[["$","link","0",{"rel":"stylesheet","href":"/_next/static/css/161837e1688096e0.css","precedence":"next","crossOrigin":"$undefined"}]],["$","html",null,{"lang":"en","children":[["$","head",null,{"children":[["$","link",null,{"rel":"preconnect","href":"https://fonts.googleapis.com"}],["$","link",null,{"rel":"preconnect","href":"https://fonts.gstatic.com","crossOrigin":"anonymous"}],["$","link",null,{"rel":"stylesheet","href":"https://fonts.googleapis.com/css2?family=Outfit:wght@400;500;600;700;800&family=IBM+Plex+Mono:wght@400;500&display=swap"}]]}],["$","body",null,{"children":["$","$L5",null,{"parallelRouterKey":"children","segmentPath":["children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L7",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":[["$","title",null,{"children":"404: This page could not be found."}],["$","div",null,{"style":{"fontFamily":"system-ui,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif,\"Apple Color Emoji\",\"Segoe UI Emoji\"","height":"100vh","textAlign":"center","display":"flex","flexDirection":"column","alignItems":"center","justifyContent":"center"},"children":["$","div",null,{"children":[["$","style",null,{"dangerouslySetInnerHTML":{"__html":"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}"}}],["$","h1",null,{"className":"next-error-h1","style":{"display":"inline-block","margin":"0 20px 0 0","padding":"0 23px 0 0","fontSize":24,"fontWeight":500,"verticalAlign":"top","lineHeight":"49px"},"children":"404"}],["$","div",null,{"style":{"display":"inline-block"},"children":["$","h2",null,{"style":{"fontSize":14,"fontWeight":400,"lineHeight":"49px","margin":0},"children":"This page could not be found."}]}]]}]}]],"notFoundStyles":[]}]}]]}]],null],null],"couldBeIntercepted":false,"initialHead":[null,"$L8"],"globalErrorComponent":"$9","missingSlots":"$Wa"}]

What is an API key — CCA-F Exam Prep