Am working with phil sturgeon REST_Controller for codeigniter to create a REST api, so far i've been able to create a simple library for generating api keys for the users. My problem is now sending the api key to the API for each request, how i do this without having to manually send it for every request.
A CARTO API Key is physically a token/code of 12+ random alphanumeric characters. You can pass in the API Key to our APIs either by using the HTTP Basic authentication header or by sending an api_key parameter via the query string or request body.
Using API keys is a way to authenticate an application accessing the API, without referencing an actual user. The app adds the key to each API request, and the API can use the key to identify the application and authorize the request.
Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP. It is not a good practice to pass sensitive information in URL.
You should look into request signing. A great example is Amazon's S3 REST API.
The overview is actually pretty straightforward. The user has two important pieces of information to use your API, a public user id and a private API Key. They send the public id with the request, and use the private key to sign the request. The receiving server looks up the user's key and decides if the signed request is valid. The flow is something like this:
/user/[email protected]
./user/[email protected]&userid=123&sig=some_generated_string
This methodology ensures the API key is never sent as part of the communication.
Take a look at PHP's hash_hmac() function, it's popular for sending signed requests. Generally you get the user to do something like put all the parameters into an array, sort alphabetically, concatenate into a string and then hash_hmac
that string to get the sig. In this example you might do:
$sig = hash_hmac("sha256",$params['email'].$params['userid'],$API_KEY)
Then add that $sig
onto the REST url as mentioned above.
The idea of REST is that it's stateless—so no sessions or anything. If you want to authenticate, then this is where keys come in, and keys must be passed for every request, and each request authenticates the user (as REST is stateless, did I mention that?).
There are various ways you can pass a key. You could pass it as a parameter (i.e. http://example.com/api/resource/id?key=api_key) or you can pass it as part of the HTTP headers. I've seen APIs that specify you send your username, and an API key as the password portion of the HTTP basic access authorization header.
An example request:
<?php $ch = curl_init(); curl_setopt_array($ch, array( CURLOPT_RETURNTRANSFER => true, CURLOPT_URL => 'http://example.com/api/resource/id', CURLOPT_USERPWD => 'martinbean:4eefab4111b2a' )); $response = curl_exec($ch);
Where martinbean
would be my account username on your website, and 4eefab4111b2a
would be my API key.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With