Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Where should I place API keys in REST API calls?

Tags:

rest

There are three options:

  1. Header
  2. URL
  3. Body

I haven't done too much work with authentication but am building an API that will need it. What I have done previously is parse the API key (e.g sha-256) in the body of a post request.

But I have just realised that you can't do this with GET requests, right? So I need to find the most secure way of authenticating each API request.

I was thinking, would it be more secure to pass the user's authenticationkey (which is stored in the users database table) as well as an oAuth key with each request? This way any hacker would need two keys to get into the system?

How should I go about this?

Example:

To authenticate every request, would I have the router check each request for an API key?

Sort of like this:

app.all('/api/v1/*', [require('./middlewares/validateRequestAPIKEY')]);
like image 495
James111 Avatar asked Oct 30 '22 12:10

James111

1 Answers

I had design few API for the mobile applications and following is what I have implemented for my clients:

The Keys will be passed in header

On server side I will check for keys on each API call for validation, in some API you might need to skip the validation (login is one example)

Here are my implementations

1) Token/keys expiration is not required:

  • User register into the system
  • Server will generate a unique key for user store into system (you can just give a public key to client for encryption and store a private key in server for decryption)
  • Client will send this key in each subsequent request (you can encrypt the key with some other algorithm which can be decrypted at server for additional security)

2) When token requires expiration:

  • Create an API which will generate keys for limited period of time, client will call this API to get the key, the API will check if client is a valid user and return a key for specific period of time.
  • In next API request the client will send the keys in header, server will check if token/keys is valid/expired, if valid perform the operation else send response to client to generate keys again.
  • You can again encrypt the keys with other algorithm for additional security.

Hope that helps

like image 178
Harshal Bulsara Avatar answered Nov 15 '22 06:11

Harshal Bulsara
Sign in to Comment

Related questions

Good practice to deal with POST api and loss of internet connection
Jersey - The servlet context path and/or the servlet path contain characters that are percent encoded
URL handling in a Hypermedia (HATEOAS) driven AngularJS application
REST API status as integer or as string?
Can't get json from Swagger + Jersey
What to advertise in Allow: header for overloaded POST
When should be @ValidateOnExecution used with jersey?
What is a good way to return a partial success response for a REST API? [duplicate]
How to have Jersey pass malformed headers
Cannot Upload a file using Jax-RS
Custom exception mapping for JAX-RS Bean validation
Create an automation job to execute azure runbook using REST API
Secure Ajax call On Rest Api
Delphi REST mac memory leak
Pause simultaneous REST calls until first one completes
Calling import.io dataset created with "Chain API" via REST
No 'Access-Control-Allow-Origin' header is present on the requested resource.The response had HTTP status code 401
AWS IoT - Access shadow through .Net, REST, with certificate
How to close InputStream which fed into Response(jax.rs)
What does using RESTful URLs buy me?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!