An API key is a password for a web service.
When your code calls OpenAI, Google, or Anthropic, it has to prove it's allowed to. It does this by sending a secret string — the API key — with every request. The service checks the key, bills your account, and responds. Treat it like a password: never share it, never paste it in code you'll upload to GitHub.
The first AI guide I followed had a step that said: "paste your OpenAI API key here." I didn't know what an API key was. I didn't know I needed one. I didn't know it would cost money. I stared at the screen for 20 minutes before closing the guide.
An API key is a password for a web service. That's it. When you call an AI service from your code, you need to prove you have an account and that you've agreed to pay per use. The key is that proof. No key, no response.
This article covers where keys come from, what they look like, and — most importantly — the one rule that will save you from an enormous accidental bill: never put an API key directly in your code. That rule has exactly one exception, and we'll cover it too.
// 01What an API key looks like
Every service formats its keys slightly differently, but they all follow the same pattern: a long, random-looking string of letters and numbers. Here are three examples — all fake, for illustration only:
OpenAI: sk-proj-aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789abcdefgh Anthropic: sk-ant-api03-aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789 Google: AIzaSyABCDEFGHIJKLMNOPQRSTUVWXYZ01234567
Notice the prefix: sk- for OpenAI ("secret key"), sk-ant- for Anthropic. These prefixes help you identify which service a key belongs to — and help services detect when their keys accidentally get leaked online.
// 02How to get an API key
Every service follows the same three-step process. The details differ, but the flow is identical.
The "shown once" problem
Almost every service shows your key exactly once — when you generate it. After you navigate away, it's gone from the UI forever. You can always generate a new key, but you can't retrieve the old one. Copy it the moment it appears. Paste it somewhere safe before you close that modal.
The cost question
Most AI APIs charge per use (per token, per image, per request). The cost for following along with a single guide is typically under $0.10 — often less than a cent. The big providers (OpenAI, Anthropic, Google) all have dashboards where you can set monthly spending limits, which I strongly recommend doing before you start any project.
- OpenAI — platform.openai.com → API keys (left sidebar) → Create new secret key
- Anthropic — console.anthropic.com → API Keys → Create Key
- Google Gemini — aistudio.google.com → Get API key
// 03Where to keep it (and where not to)
The most expensive mistake in AI development is committing an API key to a public GitHub repo. GitHub scans for key patterns — and so do bots. Within minutes of a key appearing in a public repo, it is found, cloned, and used. People have received $5,000+ surprise bills this way.
The correct home for an API key is a .env file — a plain-text file that your code reads at startup, and that your .gitignore tells git to ignore. Foundation #05 covers this in detail. For now: if a guide tells you to set an API key, it means put it in a .env file, not in the code.
// 04How the key works in practice
When your code makes a request to an AI service, it sends the key in a request header. The service validates it, looks up your account, records the usage, and sends back the response. Your code doesn't need to do anything special — the SDK handles all of this.
import os
from openai import OpenAI
# reads OPENAI_API_KEY from your .env file
client = OpenAI(api_key=os.environ["OPENAI_API_KEY"])
response = client.chat.completions.create(
model="gpt-4o-mini",
messages=[{"role": "user", "content": "hello"}]
)
print(response.choices[0].message.content)Notice os.environ["OPENAI_API_KEY"] — the code reads the key from the environment, not from a hardcoded string. That's the pattern every guide on this site uses. You will see it constantly.
// 05Now you. Generate your first API key.
Five minutes. We'll generate a real key, look at it, and then put it in the right place. We won't run any code yet — that's for the specific guides. This is just the key-handling motion.
Generate and safely store your first API key
- Pick a service. Anthropic (console.anthropic.com) gives new accounts $5 of free credits with no card required initially — a good first key. OpenAI (platform.openai.com) requires a card but has generous free tier.
- Create an account if you don't have one. Sign up, verify your email, done.
- Find the API keys section. Look under your profile, settings, or left sidebar — it's usually labeled "API Keys" or "Credentials."
- Generate a key. Click "Create" or "Generate." A modal appears with your key. Copy it immediately. Paste it into a notes app or password manager. Do not close the modal until you've confirmed the paste.
- Create a .env file practice. In any empty folder on your computer, create a file called
.env. Add one line:MY_API_KEY=the-key-you-just-copied. That's the format. (Foundation #05 explains how your code reads this.)