API key

Short description: Unique user identifier

An application programming interface (API) key is a unique identifier used to authenticate and authorize a user, developer, or calling program to an API.^[1] However, they are typically used to authenticate and authorize a project with the API rather than a human user.^[1]^[2]

Usage

The API key often acts as both a unique identifier and a secret token for authentication and authorization, and will generally have a set of access rights on the API associated with it.^[3]

HTTP APIs

API keys for HTTP-based APIs can be sent in multiple ways:^[4]

In the query string:

POST /something?api_key=abcdef12345 HTTP/1.1

As a request header:

GET /something HTTP/1.1
X-API-Key: abcdef12345

As a cookie:

GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345

Security

API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.^[2] Since API keys must only be accessible to the client and server, authentication using API keys is only considered secure when used in conjunction with other security mechanisms such as HTTPS.^[4]

Incidents

In 2017, Fallible, a Delaware-based security firm examined 16,000 android apps and identified over 300 which contained hard-coded API keys for services like Dropbox, Twitter, and Slack.^[5]

References

↑ ^1.0 ^1.1 "API Key - What is an API Key?" (in en-US). https://blog.rapidapi.com/api-glossary/api-key/.
↑ ^2.0 ^2.1 "Why and when to use API keys | Cloud Endpoints with OpenAPI" (in en). https://cloud.google.com/endpoints/docs/openapi/when-why-api-key.
↑ "Generating API Keys" (in en-us). 2018-06-12. https://www.ibm.com/docs/en/asoc/1.0.0?topic=api-generating-keys.
↑ ^4.0 ^4.1 "API Keys". https://swagger.io/docs/specification/authentication/api-keys/.
↑ "Hundreds of popular Android apps contain hard-coded secret keys" (in en). https://www.zdnet.com/article/secret-tokens-found-hard-coded-in-hundreds-of-android-apps/.

Book sources

De, Brajesh (2017). API management: an architect's guide to developing and managing APIs for your organization (1st ed.). New York: Apress. ISBN 978-1-4842-1305-6. OCLC 978273106. https://www.worldcat.org/oclc/978273106.

External links

Why and When to Use API Keys

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/API key. Read more

[:0-1] 1.0 ^1.1 "API Key - What is an API Key?" (in en-US). https://blog.rapidapi.com/api-glossary/api-key/.

[:1-2] 2.0 ^2.1 "Why and when to use API keys | Cloud Endpoints with OpenAPI" (in en). https://cloud.google.com/endpoints/docs/openapi/when-why-api-key.

[3] "Generating API Keys" (in en-us). 2018-06-12. https://www.ibm.com/docs/en/asoc/1.0.0?topic=api-generating-keys.

[:2-4] 4.0 ^4.1 "API Keys". https://swagger.io/docs/specification/authentication/api-keys/.

[5] "Hundreds of popular Android apps contain hard-coded secret keys" (in en). https://www.zdnet.com/article/secret-tokens-found-hard-coded-in-hundreds-of-android-apps/.

[1]

[2]

[3]

[4]

[5]

Anonymous

Search

API key

Namespaces

More

Page actions

Contents

Usage

HTTP APIs

Security

Incidents

References

Book sources

External links

Navigation

Navigation

Help

Translate

Wiki tools

Wiki tools

Anonymous

Search

API key

Usage

HTTP APIs

Security

Incidents

References

Book sources

External links

Navigation

Wiki tools

Page tools

Other projects

Categories