What are API keys?
Application Programming Interface keys (API keys) are unique codes that are passed to APIs to identify the applications, users, or developers that are making calls. They can be used to control and track how the API is being used and prevent it from being abused. Your API key can be used as a unique identifier as well as a secret token for authentication.
API keys will usually have a set of access rights for the APIs that they are associated with.
Basically, an API key is a simple encrypted string that identifies an application without any principal. You can use an API key to access public data anonomously and to associate API requests with your project for quota and billing. They are tokens that clients provide when making API calls. The key can be sent in the query string, or as a request header, or as a cookie.
API keys are supposed to be a secret that only the client and server know. Similar to Basic authentication, API key-based authentication will only be considered secure if it is used along with other security mechanisms such as HTTPS/SSL.
Some APIs make use of a pair of security keys, like API Key and App ID. To specify that the keys are being used together (as in logical AND), you will need to list them in the same array item in the security array.
How are API keys different from Authentication tokens?
API keys are generally used to identify the projects, i.e., the applications or sites that make the calls to APIs. They are even used for project authorization, by checking if the application making the call has access to call the API and has the API enabled in their project.
Authentication tokens are used to identify the individual person (user) that is using an application or website.
An API key does not provide the same level of security as authorization tokens do, but they are effective at identifying the application or call that is making the API call.
Essentially, the biggest difference between API keys and authentication is that authentication tokens are used for the purpose of indentifying the users (the person who is using that specific website or application) while API keys are utilized for the purpose of identifying the project making the call. This could be the website or the application that is making the call to the application programming interface.
How can you use API keys?
The keys are handled by endpoints. They are used along with applications and web interfaces (projects).
API keys are primarily used for project identification and project authorization. They can even be used to associate use information with specific projects. API keys can even enable the Extensible Service Proxy (ESP) to reject calls that are made by projects that have not been granted access or which have not been enabled in that specific API.
Their use can even be restricted to an IP address range or an iOS or Android application.
Basically, API keys are used with projects and authentication is designated for users. In most cases, Cloud Endpoints will take care of both the authentication procedures as well as the API keys.
How do you get API keys?
You would need to ask the owner of the application service that you want to connect your application service with for an API key. If an application owner makes connections to their application services available to external developers, they will generally publish instructions on getting an API key.
The process usually involves creating an account with the owner of the application and proceeding to register the project for which you need the key.
After that, in most cases, you’ll just have to interact with a console and create the credentials needed to generate an API key.
Most keys don’t expire, but sometimes, the application owner requires you to renew your access to the key at fixed intervals.
Why must API keys be kept private?
Some API keys are meant to be public and are published in webpages and application bundles. These are used mainly for identification, not authentication. This tends to work for applications with lower security requirements or applications that have other security measures.
However, most API keys tend to be private. Anyone can do whatever your application is authorized to do with the API if they gain access to your credentials.
If the API key is used to enforce rate limiting and an unauthorized person uses your API key, you might be denied service because they went over the limit. And if you are using a paid API, this may even result in you incurring additional charges if unauthorized people use your key.
In case your API key is used to prove that you asked that a request be performed by the application owner, you would lose control of the protected resource if your API key is stolen or leaked.
Even in situations where your API key does not contain sensitive information, it becomes a security risk as soon as it is used to restrict access to resources because it is rather easy for someone to extract them from client applications and automate attacks by using them. In such a situation, the attacker would be able to impersonate the API server, pretending to be the authorized application or user.
How to keep your API key secure?
Here are a few steps that you could take to keep your API keys secure:
- Don’t directly embed your API keys in code.
- Avoid storing API keys in files within an application's source tree.
- Get rid of unnecessary API keys.
- Create application and API key restrictions.
- Regenerate your API keys from time to time