Best IT Recipes

What is an API key?

I see this word in almost every cross-service application these days.

What is an API key and which uses it?

Also, what is the difference between public and private API keys.

+102
security api terminology api-key
Sep 21 '09 at 6:14
source share
6 answers

What is used “exactly” for the API key is very dependent on who issues it and what services it is used for. However, in general, an API key is a name assigned to some form of secret token, which is transmitted along with requests from a web service (or the like) to identify the origin of the request. The key can be included in some digest of the contents of the request in order to further verify the origin and prevent falsification of values.

Typically, if you can positively identify the source of a request, it acts as a form of authentication, which can lead to access control. For example, you can restrict access to certain API actions based on who is making the request. For companies that make money selling such services, this is also a way to keep track of who uses this thing to bill. In addition, by blocking the key, you can partially prevent abuse in case of too high volumes of requests.

In general, if you have an API public and private key, then it assumes that the keys themselves are a traditional public / private key pair, some form of asymmetric cryptography or related digital signing. These are safer methods for positively identifying the source of the request and, in addition, for protecting the content of the request from tracking (in addition to fake).

+106
Sep 21 '09 at 6:22
source share

Generally speaking:

The API key simply identifies you.

If there is a distinction between public / private, then the public key is one that you can distribute to others so that they can get some subsets of the information about you from the api. The private key is for your use only and provides access to all your data.

+23
Sep 21 '09 at 6:17
source share

It seems that many people use API keys as a security solution. In the bottom line: Never treat API keys as secret , this is not the case. On https or not, the one who can read the request can see the API key and can make any call they want. The API key should be as a user identifier, since it is not a complete security solution even when used with ssl.

The best description is in the link of Evgeny Osovetsky: When working with most APIs, why do they need two types of authentication, namely the key and the secret? Or check out http://nordicapis.com/why-api-keys-are-not-enough/

+15
Apr 08 '17 at 12:05 on
source share

The API key is a unique value that is assigned to the user of this service when he accepted it as a user of the service.

The service supports all issued keys and checks them with every request.

Having looked at the provided key upon request, the service checks whether it is a valid key in order to decide whether to provide access to the user or not.

+9
Sep 21 '09 at 6:16
source share

API keys are just one way to authenticate web service users.

+2
21 sept '09 at 6:45
source share

Think of it this way: The "public API key" is like the username your database uses as an input to the verification server. Then the "Private API Key" will look like a password. Using this method on the / databse site, security is maintained on a third party / verification server to authenticate a request to publish or edit your site / database.

The API string is just the login URL for your site / database to contact the validation server.

+1
Oct 21 '13 at 20:26
source share


More articles:


All Articles