When an API endpoint offers its services to a user via HTTP, it is said to be "exposed". This means traffic can flow in or out of the API endpoints, including potentially malicious traffic. API security protects developers on both sides of an API from data loss, service outages, or plain foolishness. It also allows developers to know what endpoints are most trafficked, and throttle potential problem users who are making too many requests. There are a few methods of API security, and we'll outline them here.
At its root, API authentication is about keys. You ask for a key, and the API owner grants you a key. Your key is a long, unique string of numbers and letters. Once you have an API key, you are allowed to use the API, and the owner also knows who you are (at least, which application is yours) and what you are doing in their API. There are many different API authentication methods, such as OAuth and HMAC, which you can read about in our API Authentication article.
API credentials are unique identifiers that are required to access some API tools. Credentials are similar to API authentication, in that they provide a way for API owners to control who has access to their APIs, and they protect users from malicious usage. However, API credentials identify _who_ is using the software, which is an important distinction for security. Check out our API Credentials article to learn more.
API keys [authenticate an application accessing the API, without referencing an actual user, so the API approves access and knows the application, but doesn't know who the user actually is.
An API gateway sits between the client service and the backend, effectively decoupling the client interface from your backend implementation. This security option can also provide API analytics and versioning as an API manager.
API security is a necessary part of web development, and API authentication is a really interesting solution to the problem of password anti-patterns. You don't need to know the cryptography behind authentication, but you should know how to get the keys you need, how to keep them safe, and where to use them in requests and URLs.