Lesson 1617 lessons

What is an API Key and an Environment Variable?

An API key is a secret password for software

When you want to use an AI company's service inside your own app (rather than through their website), they give you a long, unique string of letters and numbers called an "API key" — it proves to their systems that requests are coming from you, and it's how they track and bill your usage.

Why an API key must be kept secret

An API key is like a credit card number for that service — anyone who has it can use the service and get billed to your account. Never post an API key publicly, paste it into a chat, or put it directly inside code you share with others.

An environment variable is where you safely store it

An "environment variable" is a labeled secret value stored separately from your actual code — so the code can use the API key without the key itself being written visibly in a file that gets shared or published. It's like keeping your house key in a hidden spot instead of taped to your front door.

Key Takeaways

  • An API key is a secret credential that identifies you when your app talks to another service.
  • Anyone with your API key can use the service on your account's bill — treat it like a password.
  • An environment variable stores that secret separately from your code, so it isn't accidentally shared.
  • Never post an API key publicly or paste it into a chat, code sample, or screenshot you share.

Spot the secret

Look at 404Fault's own CLAUDE.md documentation excerpt style (or ask an AI to show you a fake example) and identify which values would be API keys that must never be shared publicly.