Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Good approach for a web API token scheme?

Tags:

rest

I am working on a REST API for a web application that up until now we have developed internally for a couple of companion applications. Now that we are looking at opening up to outside developers we want to add tokens to the API in order to help identify who is making requests and in general to help manage it's use. At this point we are using https and basic authentication for user authentication on the API.

The token scheme we've been discussing would be very simple where each developer would be assigned 1 or more tokens and these tokens would be passed as a parameter with each request.

My question is if you've done something similar before how did you do it (did you do more or less, how did you handle security, etc) and do you have any recommendations?

like image 561
paulthenerd Avatar asked Aug 10 '09 20:08

paulthenerd


People also ask

What is the best method for API authentication?

Common API Authentication Methods The simplest way to handle authentication is through the use of HTTP, where the username and password are sent alongside every API call. You can use an HTTP header and encode the username and password.

What approach can we take to secure APIs?

Here are some of the most common ways you can strengthen your API security: Use tokens. Establish trusted identities and then control access to services and resources by using tokens assigned to those identities. Use encryption and signatures.

How do you handle API tokens?

Here are some basic considerations to keep in mind when using tokens: Keep it secret. Keep it safe: The signing key should be treated like any other credential and revealed only to services that need it. Do not add sensitive data to the payload: Tokens are signed to protect against manipulation and are easily decoded.

What is the best way to secure Web API?

For security concerns, it is recommended that the Web APIs should use the HTTPS (HTTP secure) endpoints to ensure that the data communication is encrypted using TLS/SSL (Transport Layer Security). By the way, SSL is a cryptographic protocol responsible for ensuring secure communication over a computer network.


1 Answers

First, you might want look at http://OAuth.net. Depending on your usecases, it might provide the security you need.

As to the token, it's a BLOB to most protocols, including OAuth. You can put any information you need in it in any format.

Here is what we do,

  1. First we assign each developer a key with associated secret.
  2. The token itself is an encrypted name-value pairs. We put things like username, expiry, session id, roles etc in there. It's encrypted with our own secret so no one else can make it.
  3. For easy of use with web API, we use the URL-safe version of Base64 so the token is always URL-safe.

Hope that helps!

like image 88
ZZ Coder Avatar answered Sep 20 '22 03:09

ZZ Coder