Oct 29, 2018

API Key Authentication

API Key authentication is a technique that overcomes the weakness of using shared credentials by requiring the API to be accessed with a unique key. In this scheme, the key is usually a long series of letters and numbers that is distinct from the account owner's login password.

When the client authenticates with the API key, the server knows to allow the client access to data, but also has the option to limit administrative functions, like changing passwords or deleting accounts. Sometimes, keys are used simply so the user does not have to give out their password. The flexibility is there with API Key authentication to limit control as well as protect user passwords.

Unlike Basic Auth, which is an established standard with strict rules, API key authentication has no standard; everybody has their own way of doing it.

There is a few common approaches. One is to have the client put the key in the Authorization header, in lieu of a username and password. Another is to add the key onto the URL (http://i88.ca?api_key=my_secret_key). Less common is to bury the key somewhere in the request body next to the data. Wherever the key goes, the effect is the same - it lets the server authenticate the client.

Automating the key exchange is one of the main problems OAuth solves. It provides a standard way for the client to get a key from the server by walking the user through a simple set of steps.
  • OAuth: an authentication scheme that automates the key exchange between client and server.
  • Access Token: a secret that the client obtains upon successfully completing the OAuth process.
  • Scope: permissions that determine what access the client has to user's data.