1

Before I start, I want to tell that I am new to building RESTful APIs and also have never dealt with any authentication.

I want to setup a main server which will get API requests from client (let the server IP/Domain be, api.example.com). I want to be able to use POST request to send a file to the server with an API key. What are the ways that I could authenticate the API key in the main server and then POST the file again from there to another server depending on the API key (like two categories 0 and 1)

If the file is publicly available on client server, is it good if I just send the url to the main server which passes it to the second server and then download the file there ? Once that is done, the client will also have to use a GET request.

I am thinking of having wordpress on main server to make registrations easy (write a plugin to generate api to each user). Is it a good idea ?

I have seen this : Web API creating API keys

But the client side will be public (all the client side services I will write will be open source and the api itself is open for developers to develop for their own need.) So I figured hashing the key with any method can be reversed because it's public. I just want to use a single API key around 30 characters and their email and match it in main server.

EDIT

I just figured out something, but i don't know if it's a good strategy. If I could ask the users to add the domain from which the will make the request, and then just have only one API key and send it to the server so the server could match between the APIKey and the Domain and if it is listed continue with the POST.

Community
  • 1
  • 1
kks21199
  • 1,116
  • 2
  • 10
  • 29
  • I recommend you read up on API authentication techniques, such as HTTP Basic Auth, OAuth and HMAC. After you pick your side, there are plenty of frameworks and libraries out there to save you a ton of work. I especially recommend this article http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/. – ODaniel Jun 24 '15 at 12:43
  • Does HMAC take certain CPU Usage? is it too much or normal if someone had the client on a shared hosting. So I should force the developers to use the same authentication method ? and if I use curl from terminal, how do I has it then ? – kks21199 Jun 24 '15 at 15:23
  • HMAC requires the openssl extension for php to be installed. It does signature validation and encryption, which should be no problem for a modern server. Given your entry level on the subject, I suggest you go with Basic Auth, because it's the simplest. When using curl to invoke the API, you can pass the authentication header as an argument. For testing, have a look at Postman, an excellent Chrome plugin. – ODaniel Jun 24 '15 at 18:09

1 Answers1

0

You can use HTTP Headers to implement your authentication. Typically users will base64 encode the AUTH Header containing the API key issued to them. The server application will decode this API key from the HTTP Request it receives and perform a lookup from a datasource to validate the keys.

Oladipo Olasemo
  • 2,010
  • 24
  • 31