How are API key/app id and secret key of web APIs related, and how do they work together?

Question

I found many tutorials on how to find these keys and integrate them with my app, but nobody tells how they work together. Why are they required and what purpose do they solve in the context of web services?

We also have to do something called generate a hash key from the key store and register it to different web APIs.

I am not able to understand what web API services do with these keys and what attributes they use to generate these keys.

As I know we have to store the app ID on the client side, but we are not using secret keys here because of security perspective, so what requirements does the secret key solves on the server side?

I did not find any doc which provides this information.

Please provide any help so that I can understand the concept.

I tried reading the following docs but they don't provide any information on how all this fit together.

https://developers.facebook.com/docs/facebook-login/android

Facebook API key? Same as Application ID?

https://security.stackexchange.com/questions/19989/facebook-api-app-secret-possible-misuse

Answer 1

There are lots of things here . Some are on the client side and some on the server side. In simplest terms We can think them as following.

App key/id: is used by the server to track how many API requests are made by a particular app in a day so that server can charge the client if request count exceeds the given threshold.

Secret key: This key is mostly used by the server to make confidential requests to another server(i.e Server to Server communication). For example: Server can use this key if it want to change app related settings or say want to validate access token of Facebook client on the server .

That's why it is not permissible to store the Secret key on the client side because anyone can decompile the app , find this key and misuse it.

Hash key:We generate the hash key from the app certificate and store that on the developer console so that first app is validated for the given hash and after that API request is serviced.That's why we see sometimes invalid hash key error on the client side if both hash keys do not match.

Use of Facebook key hash?