An API is just the way we know how to accept data from you - a list of the words our program understands.
For example, in our $update_customer_session event we have something called $id_order, which the unique id for an order in your system. If you send that, we can understand it, whereas if you send $id_for_order we won't know what that means, even though it's obvious to you and me (computer programs are very, very literal).
You can think of an API key as your unique password. When you send us data, this is how we know it's yours.