APIs & API Keys
The Restaurant's Service Window
5 min read
The Restaurant's Service Window
You don't walk into the kitchen to get your food — you order through the window. The API is that window.
An API (Application Programming Interface) is the defined way your application talks to another service — like sending an order slip through a kitchen window and receiving the dish back. An API key is your membership card — it identifies who you are, tracks your usage, and controls your access. Lose it or share it publicly and someone else runs up your bill.
In Plain English
An API is how your code communicates with an external service — like sending a request to Claude and receiving a response. An API key is a secret credential that authenticates your application. Never hardcode it in your frontend code — it will be exposed.
The Technical Picture
APIs use HTTP request/response cycles, typically REST or GraphQL. LLM APIs accept POST requests with JSON payloads (model, messages, parameters) and return JSON responses. API keys are passed in request headers (Authorization: Bearer sk-...). Frontend exposure allows key theft; always proxy through a backend or use environment variables.
Real-World Examples
- Anthropic, OpenAI, and Google all provide API keys for accessing their models
- Lovable and Cursor use API keys behind the scenes so you don't have to manage them
- A leaked API key on GitHub has cost developers thousands of rupees in minutes
The API key is your AI service's front door key — if someone steals it, they can use your account at your expense.