1

I have am trying to do a get request to api with blockcypher.com. In the docs they simply append the api token to the URL with ?token= or if it's part of multiple parameters &token=. What's the proper protocol for putting this in the headers to make sure that the token isn't sent in the URL for security reasons?

I already tried to do this formula

var client = _clientFactory.CreateClient(nameof(<Parent Function Name>));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", <API Token Here>);

This didn't work. My blockcypher account claims that no requests to my API were sent when I use the above code.

ChristianOConnor
  • 820
  • 7
  • 29

1 Answers1

1

If the API you're calling doesn't support the Authorization header, there isn't anything you can do. From looking at BlockCypher's docs, they only appear to support passing the token as a URL parameter. The Authorization header is very standard, so not supporting it is odd.

This isn't as big of a security risk as you might think, as long as you are only doing server-to-server communication (not a browser or mobile app). When you use HTTPS, the request URL is encrypted (see Is an HTTPS query string secure?).

Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147