API key encryption in RESTful API?

Question

I am building an API, I plan to use API key, url request will be called like this:

http://myapi.com/apikey=mykey

But in this case, using WebCrawler, people can see the api key, so I wonder how to make it safe?

Answer 1

When building an API that requires authentication, you'll usually assign a unique key per user, and I'll be up to him to know how to use it. Usually the best approach is to only call your API via server calls (for example, using a C# client to connect to your API, instead of doing it via javascript where anyone on the page will be able to read the key), that way they'll avoid doing stuff like storing the API key in the javascript code, but again, it'll be up to them if they want to do it with direct javascript calls. Still, just as Murali suggested, I think that a header will be a lot better than a URL parameter, at least by doing it like that, the key will not be totally visible for anyone looking at the url.

If you're also concerned about a man in the middle, you should also enforce your API to only be accesible via HTTPS, that way all the communication will be encrypted and there'll be no way for a man in the middle to know the API key (assuming that the crypto part was configured correctly).

Now, if you want to work with temporal keys in a more elegant way, you can always take a look at OAuth2. Long story short, it allows you to configure an authentication server where you'll provide a secret identifier for your API consumers to create temporal keys for your API, so even if one of your API keys gets compromised, it'll not be a big problem, since those keys will be renewed after a few hours (it could be more or less, depending of your configuration. Also, remember that your consumers will need to protect their OAuth credentials, since those credentials will allow them to request for new keys).