API key
This article needs additional citations for verification. (October 2018) |
An application programming interface (API) key is a unique identifier used to
Usage
The API key often acts as both a unique identifier and a secret token for authentication and authorization, and will generally have a set of access rights on the API associated with it.[3]
HTTP APIs
API keys for HTTP-based APIs can be sent in multiple ways:[4]
In the query string:
POST /something?api_key=abcdef12345 HTTP/1.1
As a
GET /something HTTP/1.1
X-API-Key: abcdef12345
As a cookie:
GET /something HTTP/1.1
Cookie: X-API-KEY=abcdef12345
Security
API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the
Incidents
In 2017, Fallible, a Delaware-based security firm examined 16,000 android apps and identified over 300 which contained hard-coded API keys for services like Dropbox, Twitter, and Slack.[5]
References
- ^ a b "API Key - What is an API Key?". Last Call - RapidAPI Blog. Retrieved 2019-09-20.
- ^ a b "Why and when to use API keys | Cloud Endpoints with OpenAPI". Google Cloud. Retrieved 2019-09-20.
- ^ "Generating API Keys". www.ibm.com. 2018-06-12. Archived from the original on 2021-09-23. Retrieved 2023-04-03.
- ^ a b "API Keys". Archived from the original on 2019-10-17.
- ZDNet. Retrieved 2022-06-20.
Book sources
- De, Brajesh (2017). API management: an architect's guide to developing and managing APIs for your organization (1st ed.). New York: OCLC 978273106.
External links