Glossary

What is a zero-key API?

A zero-key API is an API whose first useful request requires no pre-provisioned credential: no signup, no API key, no OAuth flow. Access control, where needed, is established by the API itself during use - typically by returning a capability (an unguessable URL or token) that the client holds from then on - rather than by a registration step that must happen before use.

Zero-key does not mean zero security

The term describes onboarding, not protection. A zero-key service still controls access; it just issues the credential as an output of use instead of a prerequisite for it. The common pattern: an anonymous request creates a resource and returns a capability URL; that URL is then the credential for everything that follows. Rate limiting, quotas, and abuse controls apply per client and per resource exactly as they would behind an API key.

Why the pattern exists: machine clients

Signup flows assume a human: a browser, an email inbox, a password manager, a dashboard. AI agents have none of those. An agent reading documentation can execute "POST here, keep the returned URL" autonomously, but it stalls at "create an account and paste your key", which requires interrupting a human mid-task. As agents became a real client population, the credential exchange became the single largest integration cost - and zero-key designs remove it entirely.

The same property that helps agents helps humans prototyping: time-to-first-successful-call drops from minutes to seconds, and there is no key to leak into a public repo, because there is no key at all.

Trade-offs

  • Abuse surface: anonymous creation must be rate-limited and quota-capped aggressively; the provider absorbs this complexity so users do not see it.
  • Accountability: without accounts there is no user to email; lifecycle warnings must live in the API responses themselves.
  • Capability custody: the returned URL or token is a bearer credential, with all the capability-URL trade-offs (keep it server-side, treat it as private).
  • Fit: zero-key suits scoped, disposable, or per-resource services; multi-user products with roles and billing still need accounts eventually.

A worked example

TmpState is a zero-key database: curl tmpstate.dev creates a database anonymously and returns a capability URL that is the only credential; the same zero-key model extends to its MCP server, which any MCP client can use with a single URL and no OAuth. Where money enters (paid extensions, the Pro subscription), payment happens in a browser via a checkout link, but the API surface itself never issues or demands an API key.

curl tmpstate.dev            # no key before, no key after
# MCP: {"tmpstate": {"url": "https://tmpstate.dev/mcp"}}  # no OAuth

Related terms

See the concept in practice - create a database in ten seconds: