117

I see this word in almost every cross service application these days.

What exactly is an API key and what are its uses?

Also, what is the difference between public and private API keys.

General Grievance
  • 4,555
  • 31
  • 31
  • 45
OrangeRind
  • 4,798
  • 13
  • 45
  • 57

6 Answers6

114

What "exactly" an API key is used for depends very much on who issues it, and what services it's being used for. By and large, however, an API key is the name given to some form of secret token which is submitted alongside web service (or similar) requests in order to identify the origin of the request. The key may be included in some digest of the request content to further verify the origin and to prevent tampering with the values.

Typically, if you can identify the source of a request positively, it acts as a form of authentication, which can lead to access control. For example, you can restrict access to certain API actions based on who's performing the request. For companies which make money from selling such services, it's also a way of tracking who's using the thing for billing purposes. Further still, by blocking a key, you can partially prevent abuse in the case of too-high request volumes.

In general, if you have both a public and a private API key, then it suggests that the keys are themselves a traditional public/private key pair used in some form of asymmetric cryptography, or related, digital signing. These are more secure techniques for positively identifying the source of a request, and additionally, for protecting the request's content from snooping (in addition to tampering).

Rob
  • 47,999
  • 5
  • 74
  • 91
  • 13
    Well put! However, in my somewhat limited experience, the public/private distinction has nothing to do with public key crypto. The "public" keys I've seen are typically "access lite" -- in other words, a key you can distribute to grant third parties access to non-sensitive data, without giving away the keys to the kingdom. – timdev Sep 21 '09 at 06:46
  • 2
    @Rob +1 for the detailed answer @tim +1 for the aferthought! – OrangeRind Sep 21 '09 at 07:37
  • @tim - agreed. I think the more common approach I've seen is to have a private digest key. – Rob Sep 24 '09 at 19:48
26

Very generally speaking:

An API key simply identifies you.

If there is a public/private distinction, then the public key is one that you can distribute to others, to allow them to get some subset of information about you from the api. The private key is for your use only, and provides access to all of your data.

timdev
  • 61,857
  • 6
  • 82
  • 92
  • most of the time they look like hashes. is my observation correct? – OrangeRind Sep 21 '09 at 06:19
  • The can be generated however you want, as long as they are unique. A hash of some data seems like a reasonable way to generate one, yes. – Matthew Scharley Sep 21 '09 at 06:22
  • Yes, they look like hashes. After all, you don't want them to be easy to guess. – timdev Sep 21 '09 at 06:22
  • 1
    More or less - most bog standard API keys are generated by hashing some pseudorandom value and performing some standard plain-text encoding on the result, e.g. base16, base64 etc. – Rob Sep 21 '09 at 06:23
21

It looks like that many people use API keys as a security solution. The bottom line is: Never treat API keys as secret it is not. On https or not, whoever can read the request can see the API key and can make whatever call they want. An API Key should be just as a 'user' identifier as its not a complete security solution even when used with ssl.

The better description is in Eugene Osovetsky link to: When working with most APIs, why do they require two types of authentication, namely a key and a secret? Or check http://nordicapis.com/why-api-keys-are-not-enough/

Community
  • 1
  • 1
timandtheocean
  • 220
  • 2
  • 3
  • 3
    As you can see, this is an old question, and may likely be considered "too broad" (or perhaps "off-topic") according to modern Stack Overflow standards. Such questions tend to attract opinionated answers, which are usually downvoted and/or deleted. Staying away from such questions is _usually_ the best course of action. You can take a look at the [help/on-topic] for more information. – Dev-iL Apr 08 '17 at 23:12
10

An API key is a unique value that is assigned to a user of this service when he's accepted as a user of the service.

The service maintains all the issued keys and checks them at each request.

By looking at the supplied key at the request, a service checks whether it is a valid key to decide on whether to grant access to a user or not.

  • so what about the public and private one? – OrangeRind Sep 21 '09 at 06:17
  • 1
    Public and private keys come from the domain of encryption and have something to do with asymmetric encryption. I've never heard these terms used in the sense of API keys. –  Sep 21 '09 at 06:20
2

API keys are just one way of authenticating users of web services.

GG.
  • 2,835
  • 5
  • 27
  • 34
1

Think of it this way, the "Public API Key" is similar to a user name that your database is using as a login to a verification server. The "Private API Key" would then be similar to the password. By the site/databse using this method, the security is maintained on the third party/verification server in order to authentic request of posting or editing your site/database.

The API string is just the URL of the login for your site/database to contact the verification server.

Eugene Grant-Sinclair
  • 11
  • 1