Introduction
APIs allow developers to seamlessly share data between applications and introduce third-party features to their own apps. When APIs were first introduced, there was an immediate need to restrict data access. This led to the development of API keys.
This guide aims to clarify the concept of API keys, present the most common use cases, and recommend the best security practices.
What Are API Keys?
API keys are codes a server generates for client applications, giving them access to the server API and other resources, such as API documentation.
Failing to provide an API key while sending an API call to a protected server results in an HTTP error code – 401 Unauthorized.
What Are API Keys Used For?
While API keys primarily identify client programs and gatekeep content, they also serve other purposes. As API keys have advanced, so has their implementation. Nowadays, API keys are also used for the following operations.
Controlling the Number of Calls Made to an API
Rate limiting refers to controlling the number of API calls a user can make and the amount of data they can access.
The forms of rate limiting that API keys perform are:
- Throttling – The API assesses the importance of every request and uses the information to create a queue. If the API experiences an overload, lower priority calls are ignored. A common way to assign priority to requests is by generating different API keys for free and paying users. A request made with a paid API key will always have priority over a free API key.
- Fixed window – The API owner sets the maximum number of API calls every unique API key can make and the maximum amount of data it can transfer.
- Limiting the number of registered projects – API authentication and authorization methods are typically obtained by registering a project application with the API owner. The API owner can restrict the number of registered projects, therefore reducing the number of API keys or access tokens in circulation.
Log Filtering
APIs can be configured to log every request they receive and process. If an API requires a key for a specific set of requests, API keys can be used to filter these logs.
An API key is associated with all the requests processed using that key and tagged with a key-value pair. The key-value pair is then used as a filtering tool to retrieve requests sent using the API key associated with it.
However, it is important to note that this is not standard practice because of security concerns. If an API owner distributes API keys of equal priority, anyone with an API key would be able to access API logs and sensitive information. A workaround to this issue is to distribute keys with different levels of access.
Usage Patterns Identification
Log filtering allows for easier API usage analysis and helps identify distinct usage patterns.
API usage patterns are classed according to the following criteria:
- The most frequent type of request made.
- The most common operating system used by clients.
- The average number of daily requests.
- The times the API experiences the most traffic.
Usage pattern identification is important because it makes it easier to spot suspicious client activity. The insights this process provides can be used to optimize an API.
API Keys and Security
API keys are used to obtain access tokens granting access to sensitive information. Therefore, API keys are an API security mechanism. But how secure are API keys?
Are API Keys Secure?
API keys in their raw state (without security measures in place) are not considered secure, which is why they are used as an authentication tool and not an authorization tool.
If an API key were stolen, the following would happen:
- The thief would gain access to sensitive information.
- The API owner would have no way of knowing that the key is being misused until the original key owner notifies them.
- By the time the API owner revokes access to the key, the thief could have accessed sensitive data and caused massive damage to the server and the original key user.
Securing API keys means securing access tokens and the entire API environment. Therefore, both API owners and clients must maintain high data security standards.
Securing API Keys – Best Practices
Here are the best ways to protect the server from breaches and API keys from theft and misuse.
Implement Security Safeguards
Security safeguards are measures that protect an API. Some safeguards run automatically while others require the client to perform additional actions.
Some of the most used API security mechanisms are:
- Client authentication
- Client authorization
- Request validation
- Rate limiting
- API attack detection methods
- Implementation of temporary API keys (Secured API keys)
- Encryption
Never Hardcode API Keys
Hardcoding refers to embedding data into the source code of a program instead of generating it upon launch or obtaining it from a third-party source. In the past, developers would hardcode API keys and tokens in an application. However, this practice poses a major security issue.
Hackers can reverse engineer an application and locate the embedded secrets. Depending on the level of access the secret has, hackers can potentially gain entry to an app’s entire user database. The damage that would occur is irreparable.
The recommended course of action is to store keys in environment variables, allowing easy access but not exposing them to the public.
Check Code for Unencrypted Credentials Before Sharing on Repositories
Sharing code with exposed credentials is considered a security risk. If exposed credentials go unnoticed, new versions of the code will be developed with those credentials still embedded, increasing the severity of the security risk.
To prevent this from happening:
- Use gitignore to specify files Git should not upload.
- Hash credentials before uploading code.
- Remove credentials altogether.
Use an API Encryption Management Service
An encryption management service is a type of software designed to safely store secrets, keys, tokens and other sensitive data. Using encryption management ensures security, compliance and provides a centralized system for managing encrypted data.
How to Get an API Key?
Typically, API owners distribute keys by requiring the key user to register the app that will be sending requests to the API.
However, the process of getting an API key is not universal, so future API users are advised to consult the API’s documentation for instructions.
For example, CCBill requires Merchants to register their app. Once registered, Merchants receive a merchant application ID and API key. These credentials are used to generate a token by passing them to the CCBill Payment API authorization server.
Conclusion
APIs are a powerful tool when designed with the best security practices in mind. API keys are the most sensitive component of an API’s security system because they are regularly used to authenticate apps. That is why it is essential to implement stringent security measures to ensure the safety of these credentials.