Why do APIs use API Keys instead of Usernames?

I can think of a number of reasons you might use a key:

  • Prevent guessing, especially if the key doubles as part of the authentication. This is what Terry's answer is trying to tell you - why allow a malicious user to simply try multiple user names from a dictionary when you can make them search a large address space (it would need to be be pretty big, bigger than 128-bit at least). Combined with rate-limiting and IP blocking, you would filter out a large number of attacks.
  • Prevent the users' account being compromised if the user name is public. If my username is antony and my API key is antony, great, you're half way to breaking in. However, if my API key is something random, it becomes much harder (see point 1).
  • Allow multiple devices to access the system and by extension enable a kind of access-control for devices. If you have one memorable username as your API key, this becomes hard to revoke unless there is a corresponding API secret. If you're using API secrets, having per-device secrets achieves a similar thing.
  • Prevent a leaked key from identifying the user in any way. This is, of course, entirely useless if the content of the application or device identifies the user.

This list is probably not exhaustive.


As others have stated its to create unique ID for each user.

But for AWS specifically, the "request authentication, theAWSAccessKeyId element identifies the secret key that was used to compute the signature, and (indirectly) the developer making the request."