Glossary / APIs & Integrations

API Key

The secret credential software uses to prove it is allowed to use an API.

Updated July 2, 2026

The API is the counter. The key is the login that lets software make a request there. Without it, the counter still exists, but the system won’t serve you.

Think about adding someone to Basecamp. You don’t hand them the whole company. You give them a login with the right permissions. An API key is that login for software, which is why the same key shouldn’t be shared everywhere: if every tool uses one powerful key, a single weak spot becomes a company-wide problem.

How it shows up

When an agent pulls data from QuickBooks, posts into Basecamp, or calls an AI model, it usually needs a key. That key should live in an environment variable or a secrets manager, not pasted into the code, because keys carry permissions. Some can only read; some can create, edit, or delete; some are scoped to one service; others are broad enough to do real damage if they leak. That’s why authentication isn’t a side detail: it’s the difference between “this tool can read the report” and “this tool can change production data.” Give the agent the smallest key that can do the job, not the most powerful one you have.

Why you care

The practical rule is simple: don’t paste API keys into chats, docs, screenshots, or emails. Store them where the system expects secrets to live, grant only the permissions the work needs, and rotate a key if you think it’s been exposed. A key is a badge, and badges should only open the doors the work actually requires.