munich
Reputation: 530
How can I protect access to an API without having tokens/passwords on the URL?
I have made an RESTful API to my SaaS site.
To use it, users have to input a token key as an argument in the URL.
Even though it's under SSL, I don't like the fact that the key goes in the URL.
What are other ways to secure an API?
Upvotes: 2
Views: 84
Answers (1)
Pedro Werneck
Reputation: 41888
The usual approach is to send the token in an HTTP header, not the URI. You should use the Authorization header itself to keep it standard. When you need to send a token and not a user/password, use a custom realm.
For instance, you can use something like:
Authorization: MyCompanyLogin apikey="8hj34893u32j9023r02r"
Upvotes: 1
Related Questions
- How to protect public APIs (no credentials) from being exploited?
- Securing a RESTful API
- Best practices of "securing" an API without login/password
- How to secure an REST API without login
- How do I secure a REST-API?
- Rest API security without authentication on external requests
- Secure my API with an API key
- Password protecting a REST service?
- How would I protect a private API
- Building an API without authentication requirements?