both are types of Token-Based Authentication
- API Keys - identifies the calling project (the application or site) making the call to an API
- Authentication Tokens - identify a user (the person) that is using the app or site
sometimes we use both API keys and Authentication Schemes
-vs-application-programming-interface-(api)/application-programming-interface-(api)---software-development-kit-(sdk)/api---security/api-keys---authentication-tokens/api-keys-and-auth-token.png)
When to use API Keys
An API may restrict some or all of its methods to require API keys. It makes sense to do this if:
- You do want to block anonymous traffic. API keys identify an application’s traffic for the API producer, in case the application developer needs to work with the API producer to debug an issue or show their application’s usage
- You want to control the number of calls made to your API
- You want to identify usage patterns in your API’s traffic. You can see application usage in APIs & services
- You want to filter logs by API key
API keys cannot be used for:
- Identifying individual users — API keys don’t identify users, they identify projects
- Secure authorization
- Identifying the creators of a project