Menu
When designing an API for our web app, we'll use the their subdomain as the 'username' and generate an API key/shared secret. Firstly, is it ok to use the subdomain as the username? I don't see the benefit of generating another key.
Different APIs seem to do one of two things:
In every request the username is set to the subdomain and the password to the API key. Since we're using SSL then this should be safe from spoofing.
Notable APIs: Google Checkout, Freshbooks, GitHub, Zendesk
Normally achieved by ordering the key/value pairs and using HMAC-SHA1 with the shared secret to generate the signature. The signature is then sent with the request and verified at the other end.
Notable APIs: Google Checkout, Amazon AWS
PS: thats no mistake, Google Checkout supports both
Edit: Just read that OAuth 2 is dropping signatures in favour of sending a username/password via SSL.
Any opinions from anyone on what to pick: SSL vs Signature?
832
The SSL certificate is installed on your web server hosting your REST API. The clients don't need to have a certificate to securely exchange data with your server. Think about all the e-banking/e-shopping sites that you probably use.
The first step in securing an API is to ensure that you only accept queries sent over a secure channel, like TLS (formerly known as SSL). Communicating with a TLS certificate protects all access credentials and API data in transit using end-to-end encryption. API keys are another step toward securing a REST API.
HTTP Basic Authentication over SSL is perfectly secure from my research.
After all, using SSL (strictly TLS now) means the transport layer is encrypted and we can safely assume any information passed over this is secure and has not been tampered with.
Therefore passing the username and password without generating a signature is sufficient.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
