1

Why is it required to protect API calls with additional API key secret and sign API call?

Sending only one API key over SSL connection should be enough to protect requests IMHO.

Is it because some clients will be unable to make https connections (or verify server cert.) and API should cater to them, or there is another reason?

Most API's require using 2 API keys: API key and API key secret, also tnonce (UNIX timestamp) and then sign API call using some hashing algorithm. Is it really so necessary since every call is made over SSL?

opengrid
  • 1,942
  • 4
  • 16
  • 25

1 Answers1

4

For many web APIs, a developer is required to obtain an API key that they must use with all their API requests. The uses I've seen are generally not for security reasons (thus SSL doesn't replace the need for the API key), but rather are used to track which API requests belong to which developer.

This is even more important when the API requests are coming from javascript in a web page because in that cases, the IP address of a given request will belong to the end-user, not the developer so IP address tracking is not very useful. But, the API key will identify which developer the request belongs to even when made by an end-user browser from a web app. Then, if there are problems with the use of the API, the host site can know who is behind the problem requests and then either contact that developer or shut down or moderate access for that particular developer without affecting other users of the API who are not causing an issue.

Thus, the API key facilitates monitoring and managing the use of the API by different developers. In some APIs, a developer is asked to obtain a separate API key for each "app" that they are using the API for to provide even further granularity and control.

In some cases, I've even had a host site contact me (the developer using an API key) and suggest a more efficient way for me to use their API to get the data I wanted (presumably because this took less load on the site's back-end servers).

In particularly bad cases where an API is being misused or used for illicit purposes, an API key can be revoked by the host site such that it no longer works (all requests using that API key are rejected).

jfriend00
  • 683,504
  • 96
  • 985
  • 979
  • API key is mandatory for private API calls but I was asking about API key secret used to sign API call. Why do you have to sign with additional API key when the call is over HTTPS – opengrid Apr 17 '14 at 23:51
  • @opengrid - can you point me to an example where an API key secret is used to "sign" an API call? I don't quite follow what you mean? FYI, your question doesn't refer to "sign" anywhere so if that's what you're asking about, then perhaps you should clarify your question. – jfriend00 Apr 17 '14 at 23:53
  • I made some changes to the question – opengrid Apr 18 '14 at 00:05
  • @opengrid - can you provide a couple examples of web APIs that require two API Keys and signing using a hashing algorithm. The APIs I'm familiar with do not require that. – jfriend00 Apr 18 '14 at 00:46
  • @opengrid - OAuth is designed to be used for authentication over non-secure channels. Some aspects of it are probably not needed if you are always going to run it under SSL, but it's a trusted standard for secure authentication with lots of endpoint support (e.g. libraries) so people are using it, even if they are running it over SSL. Further, some services used to not run over SSL and thus adopted a secure authentication protocol that handled the security for them, but have since (for other reasons) moved to running over SSL. – jfriend00 Apr 18 '14 at 01:12
  • does it mean when using only SSL we can only use one API key without tnonce and signing with API key secret? – opengrid Apr 18 '14 at 14:56
  • @opengrid - if you were designing your own API that was only allowed to run under SSL, you could use a simpler auth scheme than OAuth if you wanted. But, when using someone else's API, you have to play by their rules and do whatever they require. – jfriend00 Apr 18 '14 at 15:33