HOME

TheInfoList



Click Here for Items Related To - API key
OR:
API key on:   [Wikipedia]   [Google]   [Amazon]

An application programming interface (API) key is a secret unique identifier used to
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating ...
and authorize a user, developer, or calling program to an
API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...
.
Cloud computing Cloud computing is "a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand," according to International Organization for ...
providers such as
Google Cloud Platform Google Cloud Platform (GCP) is a suite of cloud computing services offered by Google that provides a series of modular cloud services including computing, Computer data storage, data storage, Data analysis, data analytics, and machine learnin ...
and
Amazon Web Services Amazon Web Services, Inc. (AWS) is a subsidiary of Amazon.com, Amazon that provides Software as a service, on-demand cloud computing computing platform, platforms and Application programming interface, APIs to individuals, companies, and gover ...
recommend that API keys only be used to authenticate projects, rather than human users.


Usage


HTTP APIs

API keys for
HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
-based APIs can be sent in multiple ways: The access token is often a
JSON Web Token JSON Web Token (JWT, suggested pronunciation , same as the word "jot") is a Internet Standard#Proposed Standard, proposed Internet standard for creating data with optional Signature (cryptography), signature and/or optional encryption whose Payl ...
(JWT) in the HTTP Authorization header: POST /something HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... In the
query string A query string is a part of a uniform resource locator ( URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML doc ...
: POST /something?api_key=abcdef12345 HTTP/1.1 As a request header: GET /something HTTP/1.1 X-API-Key: abcdef12345 As a
cookie A cookie is a sweet biscuit with high sugar and fat content. Cookie dough is softer than that used for other types of biscuit, and they are cooked longer at lower temperatures. The dough typically contains flour, sugar, egg, and some type of ...
: GET /something HTTP/1.1 Cookie: X-API-KEY=abcdef12345


Security

API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Keys often have no expiration, meaning a stolen key can be used indefinitely unless revoked or regenerated. Keys are supposed to be a secret known only by the client and server, so they should not be communicated over an insecure channel and can only be considered secure when used in conjunction with other security mechanisms such as
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
. There are several risk scenarios when using API keys: * Developers may write scripts that contain keys in
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
. * Developers may hard-code keys into
source code In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer. Since a computer, at base, only ...
, and forget that when they release the code. * Having unprotected keys in
mobile apps A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on d ...
is dangerous. These risks generally stem from the key being in plaintext, which is potentially accessible to adversaries.


Incidents

In 2017, Fallible, a Delaware-based security firm examined 16,000 Android apps and identified over 300 which contained hard-coded API keys for services like
Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, that offers cloud storage, file synchronization, personal cloud, and Client (computing), client software. Dropbox w ...
,
Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...
, and Slack.


References


Book sources

*


External links


Why and When to Use API Keys
Application programming interfaces {{compu-prog-stub