Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Place API key in Headers or URL

I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.

Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.

Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?

like image 482
Thomas Ahle Avatar asked Apr 01 '11 18:04

Thomas Ahle


People also ask

Where should I put my API keys?

Don't store your API key directly in your code. Instead, store your API key and secret directly in your environment variables. Environment variables are dynamic objects whose values are set outside of the application. This will let you access them easily (by using the os.

How do I post API key?

You can pass in the API Key to our APIs either by using the HTTP Basic authentication header or by sending an api_key parameter via the query string or request body. If you use our client library CARTO. js, you only need to follow the authorization section and we will handle API Keys automatically for you.

Is passing API key in URL safe?

In both cases, the API key will be passed unencrypted. So both are insecure unless you use HTTPS. Aside : A REST API over the web cannot be secured unless you ask the user to login with his credentials. Anybody can easily identify the API key and make requests to your server.


2 Answers

It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor.org/rfc/rfc7235

like image 141
Darrel Miller Avatar answered Sep 21 '22 13:09

Darrel Miller


If you want an argument that might appeal to a boss: Think about what a URL is. URLs are public. People copy and paste them. They share them, they put them on advertisements. Nothing prevents someone (knowingly or not) from mailing that URL around for other people to use. If your API key is in that URL, everybody has it.

like image 44
stand Avatar answered Sep 22 '22 13:09

stand