Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Place API key in Headers or URL

Tags:

rest

http

authentication

url

api-key

I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.

Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.

Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?

like image 482
Thomas Ahle Avatar asked Apr 01 '11 18:04

Thomas Ahle

People also ask

Where should I put my API keys?

Don't store your API key directly in your code. Instead, store your API key and secret directly in your environment variables. Environment variables are dynamic objects whose values are set outside of the application. This will let you access them easily (by using the os.

How do I post API key?

You can pass in the API Key to our APIs either by using the HTTP Basic authentication header or by sending an api_key parameter via the query string or request body. If you use our client library CARTO. js, you only need to follow the authorization section and we will handle API Keys automatically for you.

Is passing API key in URL safe?

In both cases, the API key will be passed unencrypted. So both are insecure unless you use HTTPS. Aside : A REST API over the web cannot be secured unless you ask the user to login with his credentials. Anybody can easily identify the API key and make requests to your server.

2 Answers

It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor.org/rfc/rfc7235

like image 141
Darrel Miller Avatar answered Sep 21 '22 13:09

Darrel Miller

If you want an argument that might appeal to a boss: Think about what a URL is. URLs are public. People copy and paste them. They share them, they put them on advertisements. Nothing prevents someone (knowingly or not) from mailing that URL around for other people to use. If your API key is in that URL, everybody has it.

like image 44
stand Avatar answered Sep 22 '22 13:09

stand
Sign in to Comment

Related questions

Body of Http.DELETE request in Angular2
Structuring online documentation for a REST API
How to sync CoreData and a REST web service asynchronously and the same time properly propagate any REST errors into the UI
How to secure REST API with Spring Boot and Spring Security?
Automated testing for REST Api [closed]
What tools do you use to test your public REST API? [closed]
HTTP Request in Android with Kotlin
Trying to use Spring Boot REST to Read JSON String from POST
Which HTTP response code for "This email is already registered"?
How are integration tests written for interacting with external API?
In REST is POST or PUT best suited for upsert operation?
REST API for website which uses Facebook for authentication
What are the pitfalls of using Websockets in place of RESTful HTTP?
Async POST fails on WP7 and F#
How to use jti claim in a JWT
WCF Data Services (OData) Vs ASP.NET Web API
XDebug and RESTful server using PHPStorm or POSTman
How to secure RESTful web services?
Why use JAX-RS / Jersey?
Is a response-body allowed for a HTTP-DELETE-request?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!