API Keys, Tokens, and Passwords. What Is Each One and When Do You Use It?

Snapdock

3 min read
Share
API Keys, Tokens, and Passwords. What Is Each One and When Do You Use It?

You are looking at your AI-written script and there are three different things that all look like secrets. One section has a password. Another has something called an API key. A third mentions a token. You copy them carefully into the right places, run the script, and it works — until it does not, and you have no idea which one caused the problem or why. If you have ever treated all three as interchangeable because nobody explained the difference, here is the explanation.

The One Sentence Version of Each

A password is something you choose and remember, used to prove you are you to a service you have an account with.

An API key is something a service generates for you, used to identify your app or script when it makes requests to that service.

An access token is something generated temporarily after authentication, used to grant access for a limited time without re-entering credentials every time.

Same family. Different jobs. Different lifespans. Different risks.

Passwords: Keep Them Out of Your Scripts

A password is the most familiar of the three. You create it, you remember it, you use it to log in. The service stores a scrambled version and checks your input against it when you sign in.

The important thing for vibecoders: your scripts should almost never store or use your personal passwords directly. If your script needs to access Gmail, Shopify, or any other service, use an API key or OAuth token instead — not your actual login password. Hardcoding a password into a script is a security risk, and if that script ever gets shared or pushed to GitHub, your account is exposed.

If your AI writes a script that asks for your password directly, ask it: "Can you rewrite this to use environment variables or OAuth instead?" It will know exactly what to do.

API Keys: Your App's Long-Term Identity Card

An API key is not something you create. A service generates it and gives it to you when you sign up for their API.

That key identifies you specifically whenever your script makes a request. It is how the service knows who to bill, what rate limits to apply, and whether to answer at all. Every request your script makes carries your API key like a name badge.

Think of it like a gym membership card. Your name is on it, it gets you through the door, and if someone else gets hold of it they can use the gym on your account. API keys do not expire automatically — they are long-lived credentials — which is exactly why you store them in a .env file rather than directly in your code, and revoke them immediately if you think they have been exposed.

Access Tokens: Temporary Passes With an Expiry Date

A token is what you receive after a successful authentication. It is temporary by design.

When you click "Sign in with Google" — the OAuth flow where Google vouches for your identity — Google does not give your app your password. It gives it an access token. That token says "this user authenticated at this time and gave permission for these specific things." It expires after a set period — hours, days, sometimes weeks — and then needs to be refreshed.

Tokens exist because permanent credentials are risky. If an API key leaks, it works until someone revokes it. If a token leaks, it expires on its own. They are the safer option for situations where access needs to be granted temporarily or on behalf of a specific user.

When your script throws a "401 Unauthorized" or "token expired" error, it almost always means an access token ran out. Ask your AI to add automatic token refresh logic and it will handle it cleanly.

When You Will Encounter Each One

Passwords — when setting up services, but rarely inside scripts. If a script asks for your password, ask the AI to use a safer method instead.

API keys — constantly. Almost every external service your script calls will require one. Store them in a .env file, reference them as environment variables in your code, never paste them into public repositories.

Access tokens — when your app has user accounts, when it accesses services on behalf of a user, or when it connects to services that use OAuth. Your AI handles most of the token logic — but knowing what a token is helps you read the errors when they go wrong.

The One Security Rule That Covers All Three

None of them belong in code you share publicly. Not in a GitHub repository, not in a screenshot, not in a forum post asking for help. Replace real values with placeholders — API_KEY_HERE, MY_TOKEN, MY_PASSWORD — before sharing anything anywhere.

Build this habit from day one. It will save you at some point. Guaranteed.

The One Thing to Remember

Passwords prove who you are. API keys identify your app. Access tokens grant temporary access after authentication. All three are secrets. None of them belong in public code.

Building something that handles credentials and want it running securely? → Snapdock

New here? This might help: What is an API? The honest explanation nobody bothers to give you →

Read more