API key
{{Short description|Identifier for authenticating with an API}}
{{more citations needed|date=October 2018}}
An application programming interface (API) key is a secret unique identifier used to authenticate and authorize a user, developer, or calling program to an API.{{Cite web|url=https://blog.rapidapi.com/api-glossary/api-key/|title=API Key - What is an API Key?|website=Last Call - RapidAPI Blog|language=en-US|access-date=2019-09-20}}{{Cite conference |last=Lu |first=HongQian 2014 |title=Keeping Your API Keys in a Safe |url=https://ieeexplore.ieee.org/document/6973849 |conference=IEEE 7th International Conference on Cloud Computing |doi=10.1109/CLOUD.2014.143 |via=IEEE Xplore|url-access=subscription }}
Cloud computing providers such as Google Cloud Platform and Amazon Web Services recommend that API keys only be used to authenticate projects, rather than human users.{{Cite web |title=What is an API Key? - API Keys and Tokens Explained - AWS |url=https://aws.amazon.com/what-is/api-key/ |access-date=2024-09-01 |website=Amazon Web Services, Inc. |language=en-US}}{{Cite web |title=Why and when to use API keys {{!}} Cloud Endpoints with OpenAPI |url=https://cloud.google.com/endpoints/docs/openapi/when-why-api-key |access-date=2024-09-01 |website=Google Cloud |language=en}}
Usage
= HTTP APIs =
API keys for HTTP-based APIs can be sent in multiple ways:{{Cite web|url=https://swagger.io/docs/specification/authentication/api-keys/|title=API Keys|last=|first=|date=|website=|url-status=live|archive-url=https://web.archive.org/web/20191017214615/https://swagger.io/docs/specification/authentication/api-keys/ |archive-date=2019-10-17 |access-date=}}
In the query string:
POST /something?api_key=abcdef12345 HTTP/1.1
As a request header:
GET /something HTTP/1.1
X-API-Key: abcdef12345
As a cookie:
GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345
Security
API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Keys often have no expiration, meaning a stolen key can be used indefinitely unless revoked or regenerated.{{Cite web |title=Why and when to use API keys {{!}} Cloud Endpoints with OpenAPI |url=https://cloud.google.com/endpoints/docs/openapi/when-why-api-key |access-date=2019-09-20 |website=Google Cloud |language=en}} Keys are supposed to be a secret known only by the client and server, so they should not be communicated over an insecure channel and can only be considered secure when used in conjunction with other security mechanisms such as HTTPS.
There are several risk scenarios when using API keys:
- Developers may write scripts that contain keys in plaintext.
- Developers may hard-code keys into source code, and forget that when they release the code.
- Having unprotected keys in mobile apps is dangerous.
These risks generally stem from the key being in plaintext, which is potentially accessible to adversaries.
Incidents
In 2017, Fallible, a Delaware-based security firm examined 16,000 Android apps and identified over 300 which contained hard-coded API keys for services like Dropbox, Twitter, and Slack.{{Cite web |title=Hundreds of popular Android apps contain hard-coded secret keys |url=https://www.zdnet.com/article/secret-tokens-found-hard-coded-in-hundreds-of-android-apps/ |access-date=2022-06-20 |website=ZDNet |language=en}}
References
{{reflist}}
= Book sources =
- {{Cite book |last=De |first=Brajesh |url=https://www.worldcat.org/oclc/978273106 |title=API management: an architect's guide to developing and managing APIs for your organization |publisher=Apress |year=2017 |isbn=978-1-4842-1305-6 |edition=1st |location=New York |oclc=978273106}}
External links
- [https://cloud.google.com/endpoints/docs/openapi/when-why-api-key Why and When to Use API Keys]
Category:Application programming interfaces
{{compu-prog-stub}}