# How API Keys Work

The lifecycle of an API key is straightforward:

1. **Provisioning:** A developer registers with an API provider and receives one or more API keys, usually through a dashboard or management API.
2. **Inclusion in requests:** The developer's application includes the key in every request it makes, most commonly in an HTTP header or as a query parameter.
3. **Server-side validation:** The API server extracts the key from the incoming request, looks it up in its data store, and determines whether the request should be allowed.
4. **Enforcement:** Based on the key lookup, the server can enforce rate limits, track usage, check permissions, and log the request against the correct account.

## Sending an API Key

The two most common ways to include an API key in a request are via a request header or a query parameter.

**Request header (recommended):**

```bash
curl -H "Authorization: Bearer zpka_d67b4e3f8a9c42..." \
  https://api.example.com/v1/products
```

```javascript
const response = await fetch("https://api.example.com/v1/products", {
  headers: {
    Authorization: "Bearer zpka_d67b4e3f8a9c42...",
  },
});
```

**Query parameter (less secure):**

```
https://api.example.com/v1/products?api_key=zpka_d67b4e3f8a9c42...
```

Headers are strongly preferred because query parameters can leak into server logs, browser history, and referrer headers. Most modern APIs accept keys exclusively through headers.

## How the Server Validates a Key

When a request arrives, the server typically follows these steps:

1. **Extract** the key from the `Authorization` header (or other configured location).
2. **Hash** the key using a one-way hash function like SHA-256. Well-designed systems [never store raw API keys](/docs/security/hashing-and-storage); they store hashes, just like passwords.
3. **Look up** the hash in a database or cache to find the associated account, permissions, and rate-limit tier.
4. **Check status:** is the key active, expired, or revoked?
5. **Enforce policies:** apply [rate limits](/docs/security/rate-limiting), [scope restrictions](/docs/security/scoping-and-permissions), and IP allowlists before forwarding the request to the upstream service.

This lookup is usually backed by a fast data store (in-memory cache or key-value database) so that key validation adds minimal latency to the request path.