Reputation: 172
Api Authentication Methods
I've created a small wishlist project.
I wan't to serve an API for users, which have an API Key.
My webserver run on TLS (HTTPS). It is safe for users to send api key in clear in the http headers like that ?
curl -H "Authorization: api_key MY_APP_API_KEY" https://myapp.example.com
Otherwise, what should I use ?
I would like not to use OAuth2, which is too complex for my little project.
Upvotes: 0
Views: 557
Answers (2)
Reputation: 46
Is this a Web product?
If so, keep in mind your MY_APP_API_KEY will be fully available in the browser.
If it is a Web product, maybe consider a simple alternative like https://pay2my.app for logins (I'm involved in that OSS project)? Users login browser-side and send their own token + signature to the server: server just validates that.
Otherwise you're already good to go as per the first answer 👍.
Upvotes: 0
Reputation: 3262
Yes it is perfectly safe.. HTTPS encrypts all message contents, including the HTTP headers and the request/response data.
Upvotes: 1
Related Questions
- REST authentication and exposing the API key
- Rest API under https security
- How to securely pass the API Key in the HTTP Header?
- Is API key a way of Authorization or Authentication?
- How to accept authentication on a web API without SSL?
- security - how to secure api key in HTTP GET request
- API Authentication Method - am I doing it correctly?
- REST API and API KEY
- Secure API Authentication method
- Authentication security concerns