An application programming interface (API) key is a secret unique identifier used to
authenticate
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating ...
and
authorize a user, developer, or calling program to an
API
An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...
.
Cloud computing
Cloud computing is "a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand," according to International Organization for ...
providers such as
Google Cloud Platform
Google Cloud Platform (GCP) is a suite of cloud computing services offered by Google that provides a series of modular cloud services including computing, Computer data storage, data storage, Data analysis, data analytics, and machine learnin ...
and
Amazon Web Services
Amazon Web Services, Inc. (AWS) is a subsidiary of Amazon.com, Amazon that provides Software as a service, on-demand cloud computing computing platform, platforms and Application programming interface, APIs to individuals, companies, and gover ...
recommend that API keys only be used to authenticate projects, rather than human users.
Usage
HTTP APIs
API keys for
HTTP
HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
-based APIs can be sent in multiple ways:
The
access token is often a
JSON Web Token
JSON Web Token (JWT, suggested pronunciation , same as the word "jot") is a Internet Standard#Proposed Standard, proposed Internet standard for creating data with optional Signature (cryptography), signature and/or optional encryption whose Payl ...
(JWT) in the HTTP Authorization header:
POST /something HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
In the
query string
A query string is a part of a uniform resource locator ( URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML doc ...
:
POST /something?api_key=abcdef12345 HTTP/1.1
As a
request header:
GET /something HTTP/1.1
X-API-Key: abcdef12345
As a
cookie
A cookie is a sweet biscuit with high sugar and fat content. Cookie dough is softer than that used for other types of biscuit, and they are cooked longer at lower temperatures. The dough typically contains flour, sugar, egg, and some type of ...
:
GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345
Security
API keys are generally not considered secure; they are typically accessible to
clients, making it easy for someone to steal an API key. Keys often have no expiration, meaning a stolen key can be used indefinitely unless revoked or regenerated.
Keys are supposed to be a secret known only by the client and
server, so they should not be communicated over an
insecure channel and can only be considered secure when used in conjunction with other security mechanisms such as
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
.
There are several risk scenarios when using API keys:
* Developers may write
scripts that contain keys in
plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
.
* Developers may
hard-code keys into
source code
In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer.
Since a computer, at base, only ...
, and forget that when they release the code.
* Having unprotected keys in
mobile apps
A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on d ...
is dangerous.
These risks generally stem from the key being in plaintext, which is potentially accessible to adversaries.
Incidents
In 2017, Fallible, a Delaware-based security firm examined 16,000
Android apps and identified over 300 which contained hard-coded API keys for services like
Dropbox
Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, that offers cloud storage, file synchronization, personal cloud, and Client (computing), client software. Dropbox w ...
,
Twitter
Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...
, and
Slack.
References
Book sources
*
External links
Why and When to Use API Keys
Application programming interfaces
{{compu-prog-stub