Zuplo
Blog
API Key Authentication

The Missing Manual for API Keys

Martyn DaviesMartyn Davies
May 5, 2026
2 min read

Best practices, patterns, and hard-won lessons for designing API key authentication. Free, open source, and built for both developers and the AI agents writing their integration code.

API keys are everywhere. Stripe, OpenAI, Google Maps, your side project, the internal service nobody documented. Almost every major API uses them.

And yet, there is no RFC. No standard. No agreed way to do any of it.

Every provider approaches things differently. Where the key goes, how it is prefixed, stored, rotated, revoked. If you are building an API that needs keys, you are piecing this together from blog posts, source code, and whatever the big providers are doing this week.

So we built the guide we wished existed: apikeys.guide.

Best for:
  • Engineers designing API key authentication for the first time
  • Teams reviewing an existing key system and looking for what they missed
  • Anyone tired of reverse-engineering Stripe to figure out the right answer

apikeys.guide homepage showing the anatomy of a well-designed API key with prefix, payload, and checksum segments

Introducing apikeys.guide
1:29
Video Tutorial

Introducing apikeys.guide

A short walkthrough of what apikeys.guide is, who it's for, and why we built it.

What’s in the guide

The whole topic covered in depth, including:

  • Anatomy of a good key. Prefix, payload, checksum, and why each piece matters.
  • Where to send it. Authorization header, custom header, query string, and the real trade-offs.
  • How to hash and store it. What you keep in your database, and what you hand back to the user exactly once.
  • How to prefix it. So leaked keys are caught by GitHub secret scanning, and support teams can recognize them at a glance.
  • Rotation and revocation. How rolling keys works without breaking live integrations.
  • Public versus secret keys. When you need both, and how they differ.
  • Rate limiting per key. The bit most providers bolt on later and regret.

The missing manual for API key authentication, drawn from our own experience offering a high quality API key experience, as well as providers who have shipped this at scale.

Built for humans and agents

apikeys.guide is built for both. Human-readable, properly structured, and optimized for agentic consumption. Point Claude, Codex, or your AI assistant of choice at it and you get markdown as standard, helping you get correct answers, not guesses.

Free, open, supported by Zuplo

It is open source on GitHub, maintained and supported by us here at Zuplo.

apikeys.guide

The missing manual for API key authentication. Best practices, patterns, and lessons from APIs that have done this at scale.

Read it. Send it to whoever is building your next API. And if there is something missing, tell us.