Reputation: 59
Google Cloud Endpoints pass API key in header
According to Cloud Endpoint docs, it seems like you have to pass the API key in the URL itself as a query parameter.
However, that makes us vulnerable to man in the middle attacks. I was wondering if there was a way to have it work by passing the API key in the header instead.
I am working on a simple app which does not have any sign-in methods integrated already. Is there any alternative way of authentication in Cloud Endpoints where I am not required to add any existing sign-in method but will be able to use API keys securely.
Upvotes: 1
Views: 2567
Answers (4)
Reputation: 11
Yes, it is possible to specify the API key in the header.
Here is an excerpt from Google's documentation on API key definition limitations:
When specifying an API key in the security definitions object in your OpenAPI document, Endpoints requires one of the following schemes:
- The name is key and the in is query
- The name is api_key and the in is query
- The name is x-api-key and the in is header
Refer this link for more information and examples: https://cloud.google.com/endpoints/docs/openapi/openapi-limitations
Upvotes: 1
Reputation: 21
I am finding that actually, it is possible (at least with Google API Gateway, I might try later to see how it goes with Cloud Endpoints).
Please note, the name to use for the header is:
'X-API-Key' (or 'x-api-key', it is not case sensitive).
It works fine for me like that.
Upvotes: 2
Reputation: 75745
I tried to define it as described into the openAPI v2 spec
securityDefinitions:
api_key:
type: "apiKey"
name: "x-key"
in: "header"
And I got this error message when deploying my Cloud Endpoint definition.
WARNING: service.yaml: apiKey 'x-key' is ignored. Only apiKey with 'name' as 'key' and 'in' as 'query' are supported
So, it's not possible.
Upvotes: 4
Reputation: 604
API key is generally not secured.
For server-to-server communication, one of the way to make it secured is using HTTPS and IP whitelisting.
However, for (browser or mobile client)-to-server communication, we need to store API key in client and of course it will be exposed to people.
For secured client-server communication for Google Cloud Endpoints, please try adding authentication method like Firebase or Google ID.
Upvotes: 2
Related Questions
- Google API Gateway: Provide API key in header
- GCP REST API authentication missing
- The apiKeyRequired is not working in Google Cloud Endpoints project
- GCP Endpoint "Try this API" authorization URL
- GCP endpoints: The caller does not have permission after requesting API key in query
- How to Define API Key in Header Not in Query
- Issue of "Unsupported auth type for "Try this API" - api_key:apiKey." while working on google cloud endpoints with using Nodejs
- Google Endpoints and Public Api Key
- Rest API for Google Cloud Api Key Credentials
- Endpoints API with authentication