4

Please someone explain me how to use an api key and what is it good for.

I have searched a lot about this and I got different and conflicting answers. One says that an API key is kept secret and its never sent as the part of the communication, while others send it to the client without any encryption. What is the client's signature? How can he generate it and what can do the server with it? Why should monkeying with api keys instead of using the good old username-password pair? Could someone explain me how the communications look between a client (Android device) and the server (php api) in detail.

I'd appreciate any good tutorials, code samples, and explanations for beginners.

David P
  • 3,604
  • 3
  • 37
  • 54
ACs
  • 1,325
  • 2
  • 21
  • 39
  • what do u want to do exactly ? – Qarib Haider Mar 20 '14 at 12:15
  • There is an Android application which communicates with the API. The clinet can send GET and PUT requests to ask and modify resources on the server. And I want to authenticate the users to see if they are logged in and do they have permission the edit the resource – ACs Mar 20 '14 at 12:31

2 Answers2

10

The topic of API authentication is a complex one. Below I'm going to do my best to explain one part of the issue: why is an API key better than a username / password?

Here we go.

When building (or working with an API), a common question developer's ask is "Why does this service require an API key instead of my username and password?" It's a great question!

First, let's talk about what API keys typically are.

API keys are usually randomly generated strings of letters and numbers. Furthermore, an API key typically comes in two parts: an ID and a secret. If you're using a web service like Stormpath, for instance, you might have two API keys that look like this:

  • API_KEY_ID=kzjbOg3iOm4k4MRpBss76yxlZSPJtoOPaqxirsfX
  • API_KEY_SECRET=A8FnQWM7RpgGjU3sZjOUgMIq5t8mvAhQES9iE30S

You can think of an API key ID as a username. This is a globally unique identifier which allows the API service to find your account.

You can think of an API key secret as a password. This is a password that, when matched up with the correct API key ID, will grant you access to the API service in question.

The main reason you WOULDN'T want to use a username and password to authenticate against an API is that:

  • Even if the API is served over SSL, there are many exploits available which can compromise your credentials. If you used your username / password to log into API services, and an attacker grabs these credentials, they have access to your account as a whole.

  • If you use your username / password to authentication against an API, what happens if one of your servers / API clients is compromised? This means you need to reset your username / password and update it for all of the clients which are using it. This can be time consuming, and costly.

  • By using a username / password, you're usually restricting yourself to a certain type of API usage. By having API key pairs, you're able to separate out API credentials to different levels of access (maybe on key pair can only access certain data, while another can access other types of data).

API key pairs are, in general, a much better idea. In addition to the obvious security benefits, they also serve other purposes:

  • If an API key pair is leaked, you can usually create / cycle API key pairs without needing to update every single client you own.

  • You can use API key pairs to provide sub-account functionality for your API.

Hope that helps!

rdegges
  • 32,786
  • 20
  • 85
  • 109
1

have a look at this

REST authentication and exposing the API key

Why do some API providers require an API key?

And study a lil about Oauth

Community
  • 1
  • 1
Abhishek
  • 517
  • 3
  • 18