3.4.4.Securing API with API Key & Secret

  • API Key & Secret

    • Similar to user/ password but not the same -> the key and secret are meant for applications or machines they're not meant for humans

      • Long random string that they are not easy to crack

    • API Key/ Secret is issued by the API provider

    • API Key identities an API consumer

      • Client key

      • Client ID

    • API secret used by client to prove its identity

      • password

      • Digital signature

  • How is the key used?

    • API key in combination with secret used for authentication

    • Usage analytics

    • Getting tokens from API provider

    • Rate limiting

  • Design Decisions

    • 1.Practice in API call:

      • Sending the API key & secret/ signature

        • HTTP header

        • Query parameters

        • Request body

    • 2.Leverage in API management platform:

      • API key & secret management

        • Need for some interface to validate the key and the secret

      • Secret scheme

      • API key/secret provisioning

      • Rate limiting & analytics

Previous3.4.3.Securing API with Tokens & JWTNext3.4.5.API Authorization using OAuth2.0

Last updated