Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Good approach for a web API token scheme?

Tags:

rest

I am working on a REST API for a web application that up until now we have developed internally for a couple of companion applications. Now that we are looking at opening up to outside developers we want to add tokens to the API in order to help identify who is making requests and in general to help manage it's use. At this point we are using https and basic authentication for user authentication on the API.

The token scheme we've been discussing would be very simple where each developer would be assigned 1 or more tokens and these tokens would be passed as a parameter with each request.

My question is if you've done something similar before how did you do it (did you do more or less, how did you handle security, etc) and do you have any recommendations?

like image 561
paulthenerd Avatar asked Aug 10 '09 20:08

paulthenerd

People also ask

What is the best method for API authentication?

Common API Authentication Methods The simplest way to handle authentication is through the use of HTTP, where the username and password are sent alongside every API call. You can use an HTTP header and encode the username and password.

What approach can we take to secure APIs?

Here are some of the most common ways you can strengthen your API security: Use tokens. Establish trusted identities and then control access to services and resources by using tokens assigned to those identities. Use encryption and signatures.

How do you handle API tokens?

Here are some basic considerations to keep in mind when using tokens: Keep it secret. Keep it safe: The signing key should be treated like any other credential and revealed only to services that need it. Do not add sensitive data to the payload: Tokens are signed to protect against manipulation and are easily decoded.

What is the best way to secure Web API?

For security concerns, it is recommended that the Web APIs should use the HTTPS (HTTP secure) endpoints to ensure that the data communication is encrypted using TLS/SSL (Transport Layer Security). By the way, SSL is a cryptographic protocol responsible for ensuring secure communication over a computer network.

1 Answers

First, you might want look at http://OAuth.net. Depending on your usecases, it might provide the security you need.

As to the token, it's a BLOB to most protocols, including OAuth. You can put any information you need in it in any format.

Here is what we do,

  1. First we assign each developer a key with associated secret.
  2. The token itself is an encrypted name-value pairs. We put things like username, expiry, session id, roles etc in there. It's encrypted with our own secret so no one else can make it.
  3. For easy of use with web API, we use the URL-safe version of Base64 so the token is always URL-safe.

Hope that helps!

like image 88
ZZ Coder Avatar answered Sep 20 '22 03:09

ZZ Coder
Sign in to Comment

Related questions

Python RESTful client like Guzzle from PHP
LinkedIn REST API - Internal server error
Return JsonObject in spring restful webservice
Jax-RS not registering resource with @provider annotation
Bad Encoding when receiving response from HttpClient in UWP
Resttemplate GET Request with Custom Headers
How to handle REST API paths when related resources belong to different microservices?
Dropwizard & Hibernate - No session currently bound to execution context
Filter using HBase REST API
How to make a POST request using Advanced Rest Client
laravel 5.5 resource restful API
How to send a huge parameter list to a GET request
How to POST x-www-form-urlencoded in retrofit
REST API - Endpoint syntax - get item by property - not by id
Document a @RequestBody Map in Swagger
LinkedIn API :: how to obtain the bearer access token
Bare Minimum Configuration for RESTful WCF
Performing AJAX delete operations restfully in rails
ASP.NET MVC and REST URI's
How do I update a has_and_belongs_to_many collection RESTfully?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!