---
title: "The Missing Manual for API Keys"
description: "Best practices, patterns, and hard-won lessons for designing API key authentication. Free, open source, and built for both developers and the AI agents writing their integration code."
canonicalUrl: "https://zuplo.com/blog/2026/05/05/introducing-apikeys-guide"
pageType: "blog"
date: "2026-05-05"
authors: "martyn"
tags: "API Key Authentication, API Security, Developer Experience"
image: "https://zuplo.com/og?text=The%20Missing%20Manual%20for%20API%20Keys"
---
API keys are everywhere. Stripe, OpenAI, Google Maps, your side project, the
internal service nobody documented. Almost every major API uses them.

And yet, there is no RFC. No standard. No agreed way to do any of it.

Every provider approaches things differently. Where the key goes, how it is
prefixed, stored, rotated, revoked. If you are building an API that needs keys,
you are piecing this together from blog posts, source code, and whatever the big
providers are doing this week.

So we built the guide we wished existed: [apikeys.guide](https://apikeys.guide).

<CalloutAudience
  variant="bestFor"
  items={[
    "Engineers designing API key authentication for the first time",
    "Teams reviewing an existing key system and looking for what they missed",
    "Anyone tired of reverse-engineering Stripe to figure out the right answer",
  ]}
/>

![apikeys.guide homepage showing the anatomy of a well-designed API key with prefix, payload, and checksum segments](/blog-images/2026-05-05-introducing-apikeys-guide/apikeys-guide-hero.png)

<CalloutVideo
  variant="card"
  title="Introducing apikeys.guide"
  description="A short walkthrough of what apikeys.guide is, who it's for, and why we built it."
  videoUrl="https://youtu.be/39YoYUOcpzg"
  thumbnailUrl="https://i3.ytimg.com/vi/39YoYUOcpzg/hqdefault.jpg"
  duration="1:29"
/>

## What's in the guide

The whole topic covered in depth, including:

- **Anatomy of a good key.** Prefix, payload, checksum, and why each piece
  matters.
- **Where to send it.** Authorization header, custom header, query string, and
  the real trade-offs.
- **How to hash and store it.** What you keep in your database, and what you
  hand back to the user exactly once.
- **How to prefix it.** So leaked keys are caught by
  [GitHub secret scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning),
  and support teams can recognize them at a glance.
- **Rotation and revocation.** How rolling keys works without breaking live
  integrations.
- **Public versus secret keys.** When you need both, and how they differ.
- **Rate limiting per key.** The bit most providers bolt on later and regret.

The missing manual for API key authentication, drawn from our own experience
offering a high quality API key experience, as well as providers who have
shipped this at scale.

## Built for humans and agents

apikeys.guide is built for both. Human-readable, properly structured, and
optimized for agentic consumption. Point Claude, Codex, or your AI assistant of
choice at it and you get markdown as standard, helping you get correct answers,
not guesses.

## Free, open, supported by Zuplo

It is open source on [GitHub](https://github.com/zuplo/apikeys.guide),
maintained and supported by us here at Zuplo.

<CalloutDoc
  title="apikeys.guide"
  description="The missing manual for API key authentication. Best practices, patterns, and lessons from APIs that have done this at scale."
  href="https://apikeys.guide"
  icon="book"
/>

Read it. Send it to whoever is building your next API. And if there is something
missing, tell us.