Is there a way to securely store and retrieve an API key in windows?
For instance, is there a windows service/api that can be used by a (c#) desktop app to store and retrieve a key?
Asked
Active
Viewed 2,694 times
2 Answers
1
If the key has to be placed on a client machine, it can be read out. Which language you use or what kind of storage doesn't matter. At the end you'll have to send that API key to your server to authenticate yourself and at this point someone can use a proxy like Fiddler to inspect the data and record that API key.
To accomplish this issue you need a (web) interface for your customers, where they can log-in and manage their API keys, so they can request new or revoke old keys. Also your desktop tool needs in that case some input mask, where the user can enter that key (and you store it in registry or file system).
By using this approach each customer can use its own key and if it is compromised you (or the customer) have only to revoke this single key without affecting the other customers.
Oliver
- 43,366
- 8
- 94
- 151
-
I 100% agree with those comments. A well designed system should use a server to invoke the underlying API that requires the API key to prevent an snooping. But what I want to know is can a key be secure stored locally, i.e. without any web server infrastructure. – stoj Nov 25 '21 at 13:45
1
Sorry to answer my own question, but it appears Windows Credential Manager and the underlying Data Protection API is designed for this very purpose. It's the same vault used by Windows to store it's various passwords.
And it has a nice c# API.. https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection
Answered more fully here.. PasswordVault security when used from Desktop app
stoj
- 1,116
- 1
- 14
- 25