← Back to Overview

AUTHENTICATION

API Key

Send an API key as a custom header or query parameter. Flexible naming lets you match any API's expected key format.

How It Works

API Key authentication adds a named key-value pair to your request — either as a custom HTTP header or as a URL query parameter. Unlike Basic Auth or Bearer Token, you control the key name, making it compatible with any API that expects a specific header or param name.

As header:

X-API-Key: abc123def456

As query param:

?api_key=abc123def456

Configuration

Select API Key from the Auth type dropdown. Three fields appear:

FieldDescription
KeyThe header name or query parameter name (e.g. X-API-Key)
ValueThe API key value
Add toWhere to place the key: Header or Query Params

Header vs Query

The Add to dropdown controls where the key is injected:

H

Header

Adds a custom request header. Preferred for most APIs — keeps the key out of URLs, server logs, and browser history.

X-API-Key: sk-abc123...
Q

Query Params

Appends as a URL query parameter. Some APIs (Google Maps, weather services) require this approach.

GET https://api.example.com/data?api_key=sk-abc123...
Security note: Query parameters may be logged by proxies, CDNs, and server access logs. Prefer header-based API keys when the API supports both options.

Variable Support

Both the Key and Value fields support {{variable}} placeholders.

Key:   X-API-Key
Value: {{my_api_key}}

— or even dynamic key names: —

Key:   {{api_key_header_name}}
Value: {{api_key_value}}

Common API key header names used across popular services:

X-API-Key X-Api-Token Authorization api-key x-functions-key

Examples

API key in header

Auth Type: API Key
Key:       X-API-Key
Value:     {{openai_key}}
Add to:    Header

→ Request header added:
  X-API-Key: sk-proj-abc123def456...

API key in query parameter

Auth Type: API Key
Key:       api_key
Value:     {{maps_api_key}}
Add to:    Query Params

URL: https://maps.googleapis.com/maps/api/geocode/json?address=Sydney

→ Final URL:
  https://maps.googleapis.com/maps/api/geocode/json?address=Sydney&api_key=AIzaSy...
Tip: For APIs that use Authorization header without the Bearer prefix (e.g. Authorization: Api-Key xyz), use API Key auth with key name Authorization and value Api-Key {{token}}.

Security Note

Auth credentials appear in multiple places:

  • Actual Request tab — shows resolved auth headers with real values
  • Code Export — generated code includes resolved auth values
  • History — saved request headers contain injected auth (scrubbed only if from vault)
  • collections.json — auth config saved in plain text (committed to git)

Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.

Next

Ko-fi