An API key is a secret string that proves to a remote service (OpenAI, Stripe, a weather API, your own backend) that the program calling it is allowed to do so — usually on behalf of your account. It is not something you memorize; you paste it once into a config or a vault, and software sends it on each request (often in a header).
When you log into a website with email + password, a human is present: you solve CAPTCHAs, you read warnings. API keys skip that flow: they are for scripts, servers, and browser apps that call HTTP APIs automatically. If someone copies your key, they can often act as your integration until you revoke it — same family of risk as a stolen password, but optimized for automation.
Mental model: the key is a badge your program shows at the door. Whoever holds the badge is treated as your automation — not necessarily you sitting at the keyboard.
Providers need a cheap way to meter usage, block abuse, and tie traffic to a billing account. API keys (or their newer cousins, scoped tokens) check those boxes without running a full login UI on every request. You will see naming like “Secret key,” “Private key,” or “Project API key” — treat them all as high-sensitivity material unless the docs explicitly say “safe to embed in public clients” (rare and still context-dependent).
Coffee’s KEY1-CORE page is where you store those strings locally in the browser (IndexedDB + compatibility mirrors) so Coffee surfaces can read them without you re-pasting into every demo. Module 6 tours this UI end-to-end.