Will this make my API KEY Secure?

Question

Generally people would have an API that can be called using, for example, something like this:

example.com/api/getProducts

To make it more secure, you might add an API key like this

example.com/api/MdjKD8dsjkKHjkhsdlouyhDSsdf32jfh/getProducts

The problem with this is that technically, somebody with lots of resources could iterate over this range and eventually guess a correct API Key. Even though blocking IPs could work, nowadays people have all kinds of ways to use different IPs.

That is why I am considering the following:

example.com/api/USERNAME/MdjKD8dsjkKHjkhsdlouyhDSsdf32jfh/getProducts

That way, if the username is guessed correctly, but the key is wrong, I can block the user after 5 or 10 guesses, or at least block them for 15 minutes. I believe this will make it a securer. However, it comes with the downside that somebody else could block someone's account if they know their e-mail address.

What is the best approach in this case?

Answer 1

Your hypothetical API key of MdjKD8dsjkKHjkhsdlouyhDSsdf32jfh is 32 characters, presumably using base 62 (lower case + upper case alpha + numbers). So there are 62³² = 2.27 x 10⁵⁷ possible keys.

Assuming someone could make 1 million attempts per second (eg: your server doesn't keel over and die..), it would take 720 thousand trillion trillion trillion centuries (though my quick conversion may be off by million years or so) to exhaust the search space.

It's not necessarily a great idea to keep the API key in the URL though, as that typically gets logged. Better to put it in a request header, eg the Authorization header is a great spot.