AUTHENTICATION
API Key
Send an API key as a custom header or query parameter. Flexible naming lets you match any API's expected key format.
How It Works
API Key authentication adds a named key-value pair to your request — either as a custom HTTP header or as a URL query parameter. Unlike Basic Auth or Bearer Token, you control the key name, making it compatible with any API that expects a specific header or param name.
As header:
X-API-Key: abc123def456
As query param:
?api_key=abc123def456
Configuration
Select API Key from the Auth type dropdown. Three fields appear:
| Field | Description |
|---|---|
| Key | The header name or query parameter name (e.g. X-API-Key) |
| Value | The API key value |
| Add to | Where to place the key: Header or Query Params |
Header vs Query
The Add to dropdown controls where the key is injected:
Header
Adds a custom request header. Preferred for most APIs — keeps the key out of URLs, server logs, and browser history.
X-API-Key: sk-abc123...
Query Params
Appends as a URL query parameter. Some APIs (Google Maps, weather services) require this approach.
GET https://api.example.com/data?api_key=sk-abc123...
Variable Support
Both the Key and Value fields support {{variable}} placeholders.
Key: X-API-Key
Value: {{my_api_key}}
— or even dynamic key names: —
Key: {{api_key_header_name}}
Value: {{api_key_value}}
Common API key header names used across popular services:
Examples
API key in header
Auth Type: API Key
Key: X-API-Key
Value: {{openai_key}}
Add to: Header
→ Request header added:
X-API-Key: sk-proj-abc123def456...
API key in query parameter
Auth Type: API Key
Key: api_key
Value: {{maps_api_key}}
Add to: Query Params
URL: https://maps.googleapis.com/maps/api/geocode/json?address=Sydney
→ Final URL:
https://maps.googleapis.com/maps/api/geocode/json?address=Sydney&api_key=AIzaSy...
Authorization header without the Bearer prefix (e.g. Authorization: Api-Key xyz), use API Key auth with key name Authorization and value Api-Key {{token}}.
Security Note
Auth credentials appear in multiple places:
- Actual Request tab — shows resolved auth headers with real values
- Code Export — generated code includes resolved auth values
- History — saved request headers contain injected auth (scrubbed only if from vault)
- collections.json — auth config saved in plain text (committed to git)
Recommendation: Store sensitive credentials in the Secret Vault and reference them as {{variables}}. Vault secrets are automatically scrubbed from persisted history, and the vault file is AES-256-GCM encrypted — safe to have alongside git-tracked files.