Menu
Most APIs ask developers to get an API key. The API key is then used for rate limiting. What is to stop a developer from getting multiple API keys as a way to prevent the rate limit?
The problem I'm facing is deciding how to issue an API key. The only thing I found working is to issue more of a "developer key".
960
Application restriction means only a website (HTTP), a web server with an IP address or a mobile app (Android or iOS) is allowed to connect using the key. API restriction limits the API key's use to only a defined set of APIs or SDKs. Requests to connect fail if undefined APIs or SDKs attempt to use the key to connect.
You can use the same API key for multiple websites, or you can generate a new key for each site.
All accounts have a total of four keys: a publishable and secret key pair for test mode and live mode.
An API key isn't the right tool for rate limiting, especially if the API is back-end callable. It works if the code is integrated at the end-user's browser, since that serves as "neutral ground" that can ensure that the application identity isn't being spoofed, but not if it's called from a service or application written by your client developers.
Resource utilization control is an economic problem, so it calls for an economic solution. Requiring a unique hashcash token per-call is a good way to enforce this. (Hashcash is a proof-of-work scheme -- it requires the caller to prove they've expended a bunch of CPU time on a pointless task as a way to prove the request has value to them.)
It is also scalable depending on load -- if your service is being overwhelmed, you can dynamically increase the "price" in leading zero bits required in the token; each increase by one bit will reduce the request rate by half. (Just make sure your API can communicate the hashcash "price" if it is dynamic.)
83
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
