---
title: AppSync GraphQL APIs should not use API keys for authentication
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AppSync GraphQL APIs should not use API
  keys for authentication
---

# AppSync GraphQL APIs should not use API keys for authentication
 
## Description{% #description %}

Use approved authorization mechanisms for your AWS AppSync GraphQL APIs

An API key is a static value embedded in your application, generated by the AWS AppSync service upon creating an unauthenticated GraphQL endpoint. If this API key is exposed, your endpoint can be accessed without authorization. For applications or websites that are not intended for public access, it is advisable to use alternative authentication methods instead of an API key.

## Remediation{% #remediation %}

Follow the [Configuring authorization and authentication to secure your GraphQL APIs](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html) documentation to learn how to configure GraphQL API authorization types.