.What's the risk with simple 1 key REST API?

Question

Please forgive me if this is dumb, not my field.

Say I would like to provide an API for my users like this :

www.mydomain.com/USER-API-KEY/some-user-data

Where the USER-API-KEY is 16 characters and numbers unique ID per user, known only to him.

Say the user use this to write data to a server (Amazon/Firebase, etc).

Why is this API considered to be not safe ? is there a way to make this API more safe from attacks by keeping this simplicity ?

Answer 1

What risks you take entirely depend on you. Passing sensitive information (like an access token or api key) in the URL has its risks, but you can decide to accept those risks.

A few things that come to mind:

• URLs get logged. They get logged on intermediate proxies, and they also get logged on the server that actually serves your API. It may be possible for an attacker to gain access to those logs, compromising API keys.

• Not really security-related, but a change in the API key will in your scheme invalidate all cached results, which may have a potential effect on performance if keys change often (as they should, especially if you're sending them in the URL).

• Some of your clients may have explicit policies against sending sensitive data in the URL. This means the risk in your solution is not only technical, it also has a "client relationship side" if you like.

So in short the security best practice is not to send API keys like that. If you do so, it will likely be found in a later penetration test as a vulnerability.

You can still decide to do so, and quite honestly, this is probably not how (if ever) your application will be hacked. But accepting this risk should be an informed decision.