refactor: update api key wiki (#97)

src/content/terms/en/api-key.mdx

@@ -1,37 +1,66 @@
 ---
 title: API key
 tags: [authentication, api]
-description: An API key is a unique identifier used to authenticate and authorize a client when accessing an API. It serves as a secret token included in API requests to verify the client’s identity and allow access to specific resources or services. API keys are typically used in server-to-server communications or when accessing public data.
+description: An API key is a secret token used to authenticate clients accessing an API. It verifies identity and controls access to specific resources, commonly used in server-to-server communications or public data access.
 ---
 
 ## What is an API key?
 
-API keys are used to identify and authorize the calling application or service. They are typically long-lived and static until rotated and often have a fixed set of permissions. They are primarily used for server-to-server communications or accessing public data, these tokens generally do not represent a specific user.
+An API key is a secret token used to authenticate clients accessing an API. It's like a password for your application, allows access to a specific API. Think of it as a keycard to access a building. The keycard grants access, but doesn't necessarily identify who you are.
 
-## How do an API key work?
+## How do API keys work?
 
-An API key is a long string of characters generated by the API provider and shared with authorized users. This key must be included in the request header when accessing the API. API keys are simple and effective for basic security needs. For example, popular services like Google Maps API and AWS provide API keys to control access and monitor usage.
+API keys work through a simple request and response process.
 
-```java
-curl -GET https://api.example.com/endpoint -H "Authorization: api-key YOUR_API_KEY"
+1. **Request:** Your application sends a request to the API, including the API key.  The key is often sent in the header of the request.  For example, the header might look like this: `x-api-key: your_actual_api_key`.  There's no single standard for header names or value formats.
+
+2. **Verification:** The API server checks the provided key against its database.
+
+3. **Response:** If the key is valid, the server grants access and sends back the requested data. If not, access is denied.
+
+Here's a sequence diagram illustrating the process:
+
+```mermaid
+sequenceDiagram
+    participant A as Client
+    participant B as API Server
+
+    A->>B: Request with API Key in Header
+    activate B
+    B->>B: Verify API Key
+    B-->>A: Response (Data or Error)
+    deactivate B
 ```
 
-API keys are not as effective as other forms of API authentication, such as <Ref slug="oauth-2.0" /> and <Ref slug="jwt" />, but they still play an important role in helping API producers monitor usage since it is the the most straightforward and widely used method to secure APIs.
+## What are the pros and cons of API Keys?
 
-## What is its pros and cons?
+Let's look at what makes API keys useful and where they fall short:
 
 ### Pros
 
-- Simple to implement: API keys are easy to implement and use. They involve attaching a key to the request header, making it a straightforward method for developers and clients to understand and employ.
-- Easy to monitor: API keys are easy to monitor. You can track the usage of each key and revoke them if necessary.
-- Effective rate limiting: API keys are effective for rate limiting. You can set a limit on the number of requests per key to prevent abuse.
-- Suitable for non-sensitive data: API keys are suitable for non-sensitive data or publicly available APIs, where security requirements are lower.
+- **Super simple to use**: Just add a key to your request and you're good to go! It's like using a house key - no complicated steps needed.
+
+- **Easy to track**: Want to know who's using your API? API keys make it simple. You can see which apps are making calls and how often they're doing it.
+
+- **Quick rate limiting**: Stop people from overusing your API by setting limits per key. It's like having a bouncer at a club who counts how many times someone goes in and out.
+
+- **Perfect for public data**: If you're sharing non-sensitive info (like weather data or public stats), API keys are just right.
 
 ### Cons
 
-- Limited security: API keys are not secure enough for sensitive data, especially for client-side applications. They are often used in machine-to-machine communications.
-- Not suitable for user Authentication: API keys are tied to applications or systems, not individual users, making it challenging to identify specific users or track their actions.
-- No token expiry: API keys are typically static and don't expire. If a key is compromised, it could be misused indefinitely unless manually regenerated.
+- **Less secure than modern alternatives**: API keys are not as effective as other forms of API authentication, such as <Ref slug="oauth-2.0" /> and <Ref slug="jwt" />. Think of them as a basic lock compared to a modern security system. However, they remain popular because they're the simplest way to track API usage and get started with API security.
+
+- **Security risks**: API keys are like leaving your house key under the doormat. If someone finds it, they can use it forever. Here's why:
+  - They're often visible in code
+  - They don't expire automatically
+  - If leaked (like in public GitHub repos), anyone can use them
+
+- **Can't tell users apart**: While some companies use "API keys" that can identify users (like Stripe), traditional API keys can't tell you who's who. They only tell you which application is making the request.
+
+- **Static by nature**: Unlike modern auth tokens that expire, API keys usually stay the same forever. This means:
+  - No automatic security refreshes
+  - Manual work needed to rotate keys
+  - Higher risk if keys are exposed
 
 ## What are the use cases for API keys?