Demo Mode

No student ID available

Lesson 3 of 12

Concept 3: API Keys and Authentication

API Keys and Authentication

🎯 Learning Objectives

By the end of this lesson, you will:

Understand why APIs need authentication
Learn what API keys are and how to use them
Keep API keys secure in your code
Make authenticated API requests
Understand rate limits and quotas

ℹ️ Info Why Authentication? Just like you need a library card to borrow books, you need API keys to use many APIs. They identify who you are and track your usage!

🔑 What Are API Keys?

The Library Card Analogy

Library	API World
Library Card	API Key
Shows you're a member	Shows you're registered
Tracks books you borrow	Tracks API calls you make
Has borrowing limits	Has rate limits
Can be revoked if misused	Can be disabled if abused

What API Keys Look Like

javascript

// Example API keys (these are fake!)
const weatherKey = "k7j3h5g9d2m8n4b6v1c9x0z2";
const googleKey = "AIzaSyB-1234567890abcdefghijk";
const stripeKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc";

⚠️ Warning Never share your real API keys! They're like passwords - keep them secret!

🎫 Free vs Paid APIs

Free APIs	Paid APIs
Limited requests (e.g., 1000/day)	Higher or unlimited requests
Basic features	Advanced features
May require attribution	White-label options
Perfect for learning	For production apps

Popular Free API Tiers

OpenWeatherMap: 60 calls/minute free
NASA APIs: 1000 calls/hour free
NewsAPI: 100 requests/day free
Unsplash: 50 requests/hour free

🔐 Getting Your First API Key

Step-by-Step: OpenWeatherMap

Sign Up
- Go to openweathermap.org
- Click "Sign Up"
- Use your email
Get Your Key
- Check your email for verification
- Log in to your account
- Go to "API Keys" section
- Copy your key

Test It

bash

https://api.openweathermap.org/data/2.5/weather?q=London&appid=YOUR_KEY_HERE

💡 Tip Most APIs send keys via email after signup. Check your inbox!

🛡️ Keeping API Keys Secure

❌ NEVER Do This

javascript

// BAD: Key visible in code
const apiKey = "abc123xyz789"; // Anyone can see this!

fetch(`https://api.example.com/data?key=${apiKey}`);

✅ Better Approaches

For Learning/Development

javascript

// Store in separate file (don't commit to GitHub!)
// config.js
const API_KEY = "your-key-here";

// main.js
fetch(`https://api.example.com/data?key=${API_KEY}`);

For Production

javascript

// Use environment variables
const apiKey = process.env.API_KEY;

// Or prompt user to enter their key
const apiKey = prompt("Enter your API key:");

📝 Using API Keys in Requests

Method 1: Query Parameter

javascript

// Key in the URL
async function getWeather(city) {
  const apiKey = "your-key-here";
  const url = `https://api.openweathermap.org/data/2.5/weather?q=${city}&appid=${apiKey}`;

  const response = await fetch(url);
  const data = await response.json();
  return data;
}

Method 2: Headers

javascript

// Key in request headers
async function getData() {
  const response = await fetch('https://api.example.com/data', {
    headers: {
      'X-API-Key': 'your-key-here',
      'Content-Type': 'application/json'
    }
  });

  const data = await response.json();
  return data;
}

Method 3: Authorization Header

javascript

// Bearer token format
async function getProtectedData() {
  const response = await fetch('https://api.example.com/protected', {
    headers: {
      'Authorization': 'Bearer your-token-here'
    }
  });

  const data = await response.json();
  return data;
}

🚦 Understanding Rate Limits

What Are Rate Limits?

APIs limit how many requests you can make:

javascript

// Headers tell you about limits
const response = await fetch(apiUrl);

// Check rate limit headers
console.log(response.headers.get('X-RateLimit-Limit'));     // Max requests
console.log(response.headers.get('X-RateLimit-Remaining')); // Requests left
console.log(response.headers.get('X-RateLimit-Reset'));     // Reset time

Common Rate Limit Errors

javascript

// 429 = Too Many Requests
if (response.status === 429) {
  console.log("Slow down! Too many requests!");
  // Wait before trying again
  setTimeout(() => retry(), 60000); // Wait 1 minute
}

🎯 Practical Example: Weather App with API Key

javascript

// Complete weather app with authentication
class WeatherApp {
  constructor(apiKey) {
    this.apiKey = apiKey;
    this.baseURL = 'https://api.openweathermap.org/data/2.5';
  }

  async getWeather(city) {
    try {
      const url = `${this.baseURL}/weather?q=${city}&appid=${this.apiKey}&units=metric`;
      const response = await fetch(url);

      // Check for errors
      if (response.status === 401) {
        throw new Error('Invalid API key');
      }
      if (response.status === 404) {
        throw new Error('City not found');
      }
      if (response.status === 429) {
        throw new Error('Rate limit exceeded');
      }

      const data = await response.json();
      return {
        city: data.name,
        temp: Math.round(data.main.temp),
        description: data.weather[0].description
      };

    } catch (error) {
      console.error('Weather API Error:', error);
      return null;
    }
  }
}

// Use it
const weather = new WeatherApp('your-api-key');
const data = await weather.getWeather('Paris');

🔍 Testing Authentication

Check If Key Works

javascript

async function testAPIKey(key) {
  const testURL = `https://api.example.com/test?key=${key}`;

  try {
    const response = await fetch(testURL);

    if (response.ok) {
      console.log('✅ API key is valid!');
      return true;
    } else if (response.status === 401) {
      console.log('❌ Invalid API key');
      return false;
    }
  } catch (error) {
    console.log('❌ Network error');
    return false;
  }
}

📊 Managing Multiple API Keys

javascript

// Organize your keys
const apiKeys = {
  weather: 'weather-key-here',
  news: 'news-key-here',
  maps: 'maps-key-here'
};

// Helper function
function getAPIKey(service) {
  return apiKeys[service] || null;
}

// Usage
const weatherKey = getAPIKey('weather');

🎮 Practice Tasks

Sign up for a free OpenWeatherMap account
Get your API key from the dashboard
Test it in your browser
Make a request using JavaScript
Handle errors for invalid keys

📚 Summary

You've learned:

API keys identify and authenticate you
Keep keys secret and secure
Keys can go in URLs, headers, or authorization
APIs have rate limits to prevent abuse
Always handle authentication errors

API keys are your passport to the world of external data!

🚀 Next Lesson Preview

In Concept 04, you'll learn to:

Send data with POST requests
Create new resources via APIs
Work with request bodies
Handle form submissions to APIs

Lesson 3 of 12

Concept 3: API Keys and Authentication

API Keys and Authentication

🎯 Learning Objectives

By the end of this lesson, you will:

Understand why APIs need authentication
Learn what API keys are and how to use them
Keep API keys secure in your code
Make authenticated API requests
Understand rate limits and quotas

ℹ️ Info Why Authentication? Just like you need a library card to borrow books, you need API keys to use many APIs. They identify who you are and track your usage!

🔑 What Are API Keys?

The Library Card Analogy

Library	API World
Library Card	API Key
Shows you're a member	Shows you're registered
Tracks books you borrow	Tracks API calls you make
Has borrowing limits	Has rate limits
Can be revoked if misused	Can be disabled if abused

What API Keys Look Like

javascript

// Example API keys (these are fake!)
const weatherKey = "k7j3h5g9d2m8n4b6v1c9x0z2";
const googleKey = "AIzaSyB-1234567890abcdefghijk";
const stripeKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc";

⚠️ Warning Never share your real API keys! They're like passwords - keep them secret!

🎫 Free vs Paid APIs

Free APIs	Paid APIs
Limited requests (e.g., 1000/day)	Higher or unlimited requests
Basic features	Advanced features
May require attribution	White-label options
Perfect for learning	For production apps

Popular Free API Tiers

OpenWeatherMap: 60 calls/minute free
NASA APIs: 1000 calls/hour free
NewsAPI: 100 requests/day free
Unsplash: 50 requests/hour free

🔐 Getting Your First API Key

Step-by-Step: OpenWeatherMap

Sign Up
- Go to openweathermap.org
- Click "Sign Up"
- Use your email
Get Your Key
- Check your email for verification
- Log in to your account
- Go to "API Keys" section
- Copy your key

Test It

bash

https://api.openweathermap.org/data/2.5/weather?q=London&appid=YOUR_KEY_HERE

💡 Tip Most APIs send keys via email after signup. Check your inbox!

🛡️ Keeping API Keys Secure

❌ NEVER Do This

javascript

// BAD: Key visible in code
const apiKey = "abc123xyz789"; // Anyone can see this!

fetch(`https://api.example.com/data?key=${apiKey}`);

✅ Better Approaches

For Learning/Development

javascript

// Store in separate file (don't commit to GitHub!)
// config.js
const API_KEY = "your-key-here";

// main.js
fetch(`https://api.example.com/data?key=${API_KEY}`);

For Production

javascript

// Use environment variables
const apiKey = process.env.API_KEY;

// Or prompt user to enter their key
const apiKey = prompt("Enter your API key:");

📝 Using API Keys in Requests

Method 1: Query Parameter

javascript

// Key in the URL
async function getWeather(city) {
  const apiKey = "your-key-here";
  const url = `https://api.openweathermap.org/data/2.5/weather?q=${city}&appid=${apiKey}`;

  const response = await fetch(url);
  const data = await response.json();
  return data;
}

Method 2: Headers

javascript

// Key in request headers
async function getData() {
  const response = await fetch('https://api.example.com/data', {
    headers: {
      'X-API-Key': 'your-key-here',
      'Content-Type': 'application/json'
    }
  });

  const data = await response.json();
  return data;
}

Method 3: Authorization Header

javascript

// Bearer token format
async function getProtectedData() {
  const response = await fetch('https://api.example.com/protected', {
    headers: {
      'Authorization': 'Bearer your-token-here'
    }
  });

  const data = await response.json();
  return data;
}

🚦 Understanding Rate Limits

What Are Rate Limits?

APIs limit how many requests you can make:

javascript

// Headers tell you about limits
const response = await fetch(apiUrl);

// Check rate limit headers
console.log(response.headers.get('X-RateLimit-Limit'));     // Max requests
console.log(response.headers.get('X-RateLimit-Remaining')); // Requests left
console.log(response.headers.get('X-RateLimit-Reset'));     // Reset time

Common Rate Limit Errors

javascript

// 429 = Too Many Requests
if (response.status === 429) {
  console.log("Slow down! Too many requests!");
  // Wait before trying again
  setTimeout(() => retry(), 60000); // Wait 1 minute
}

🎯 Practical Example: Weather App with API Key

javascript

// Complete weather app with authentication
class WeatherApp {
  constructor(apiKey) {
    this.apiKey = apiKey;
    this.baseURL = 'https://api.openweathermap.org/data/2.5';
  }

  async getWeather(city) {
    try {
      const url = `${this.baseURL}/weather?q=${city}&appid=${this.apiKey}&units=metric`;
      const response = await fetch(url);

      // Check for errors
      if (response.status === 401) {
        throw new Error('Invalid API key');
      }
      if (response.status === 404) {
        throw new Error('City not found');
      }
      if (response.status === 429) {
        throw new Error('Rate limit exceeded');
      }

      const data = await response.json();
      return {
        city: data.name,
        temp: Math.round(data.main.temp),
        description: data.weather[0].description
      };

    } catch (error) {
      console.error('Weather API Error:', error);
      return null;
    }
  }
}

// Use it
const weather = new WeatherApp('your-api-key');
const data = await weather.getWeather('Paris');

🔍 Testing Authentication

Check If Key Works

javascript

async function testAPIKey(key) {
  const testURL = `https://api.example.com/test?key=${key}`;

  try {
    const response = await fetch(testURL);

    if (response.ok) {
      console.log('✅ API key is valid!');
      return true;
    } else if (response.status === 401) {
      console.log('❌ Invalid API key');
      return false;
    }
  } catch (error) {
    console.log('❌ Network error');
    return false;
  }
}

📊 Managing Multiple API Keys

javascript

// Organize your keys
const apiKeys = {
  weather: 'weather-key-here',
  news: 'news-key-here',
  maps: 'maps-key-here'
};

// Helper function
function getAPIKey(service) {
  return apiKeys[service] || null;
}

// Usage
const weatherKey = getAPIKey('weather');

🎮 Practice Tasks

Sign up for a free OpenWeatherMap account
Get your API key from the dashboard
Test it in your browser
Make a request using JavaScript
Handle errors for invalid keys

📚 Summary

You've learned:

API keys identify and authenticate you
Keep keys secret and secure
Keys can go in URLs, headers, or authorization
APIs have rate limits to prevent abuse
Always handle authentication errors

API keys are your passport to the world of external data!

🚀 Next Lesson Preview

In Concept 04, you'll learn to:

Send data with POST requests
Create new resources via APIs
Work with request bodies
Handle form submissions to APIs