Application Programming Interface Key (API keys) are codes passed in by computer programs. In particular, calling an application programming interface (API) to identify various aspects. Such as the calling program, its developer, or its user to the Web site.
In other words, an application programming interface (API) is a set of rules and specifications that software programs can follow to communicate or ‘interface’ with each other.
Notably, APIs are a set of routines, protocols, and tools for building software applications. Basically, an API Protocol specifies how software components should interact. Remarkably, the authentication method requires a public key (Consumer Key) and signature seeded with a Private Key.
What are API Keys?
API Keys were created as somewhat of a fix to the early authentication issues of HTTP Basic Authentication and other such systems. In this approach, a unique generated value is assigned to each first time user, signifying that the user is known.
When the user attempts to re-enter the system, their unique key (sometimes generated from their hardware combination and IP data, and other times randomly generated by the server which knows them) is used to prove that they’re the same user as before.
Easy Setup and Authentication:
On the other hand, this is very fast. The ability to prove identity once and move on is very agile and is why it has been used for many years now. Especially as a default approach for many API providers.
The problem, however, is that API keys are often used for what they’re not. Whereas an API key is not a method of authorization, it’s a method of authentication. Because anyone who makes a request of service transmits their key.
In theory, this key can be picked up just as easy as any network transmission. And if any point in the entire network is insecure, the entire network is exposed. This makes API keys a hard thing to recommend – often misused and fundamentally insecure. They nonetheless do have their place when properly secured and hemmed in by authorization systems.
How do API Keys provide Security?
By all means. API keys grant full access to your Host Account Dashboard. And should be protected the same way you would protect your password.
However, there are a few common scenarios to keep in mind when working with API keys. Such as;
- Give each integration its own API key, and assign labels to each key so you know which key goes with which application. If a specific API key is compromised, you can disable that key without disabling access to all of your other integrations.
- Be careful not to expose the key to the public (such as in screenshots, videos, or help documentation). Remember that blurring your data isn’t always enough. It’s best to use “cut” functions in your graphics program to remove the data completely.
- If a key needs to be shared, generate a new key and label it accordingly so it can be disabled, if needed. Never email the API key, because it would allow access to your premium email account such as the MailChimp. Especially, if hackers were to compromise your email account.
- For example, if you revoke a user’s access to your MailChimp account, any API keys created by the user will be removed from your account.
- Access to each endpoint is determined by the role of the user who generated the API key. To learn more about user-level permissions, visit Manage User Levels in Your Account.
Who is the API Keys Auth Provider?
Basically, the API Key Auth Provider provides an alternative method for allowing external 3rd Parties access to your protected Services. In that case, without needing to specify a password.
API Keys are the preferred approach for many well-known public API providers. Especially, used in system-to-system scenarios for several reasons. Including but not limited to;
- Simple – It integrates easily with existing HTTP Auth functionality
- Independent from Password – Limits exposure to the much more sensitive master user passwords that should ideally never be stored in plain-text. Resetting User’s Password or password reset strategies won’t invalidate existing systems configured to use API Keys
- Entropy – API Keys are typically much more secure than most normal User Passwords. The configurable default has 24 bytes of entropy (Guides have 16 bytes). And also generated from a secure random number generator that encodes to 32 chars using URL-safe Base64 (Same as Stripe)
- Performance – Thanks to their much greater entropy and independence from user-chosen passwords, API Keys are validated as fast as possible using a datastore Index. This is a contrast to validating hashed user passwords. Which as a goal require the usage of slower and more computationally expensive algorithms to try to make brute force attacks infeasible
Like most ServiceStack providers the new API Key Auth Provider is simple to use. Integrates seamlessly with ServiceStack existing Auth model and includes Typed end-to-end client/server support.
API Keys Authentication vs Authorization
Before we dive into this topic too deep, we first need to define what authentication actually is, and more importantly, what it’s not.
In fact, one of the solutions we’re going to discuss in a moment is a hybrid system of authentication and authorization. As such, and due to their similarities in the functional application, it’s quite easy to confuse these two elements.
The easiest way to divide authorization and authentication is to ask: what do they actually prove? In simple terms, Authentication is when an entity proves an identity.
Authentication proves that you are who you say you are. This is akin to having an identification card – an item given by a trusted authority that the requester, such as a police officer, can use as evidence that suggests you are in fact who you say you are.
Authorization is an entirely different concept, though it is certainly closely related. In simple terms, Authorization is when an entity proves a right to access.
Authorization proves you have the right to make a request. When you try to go backstage at a concert or an event, you don’t necessarily have to prove that you are who you say you are – you furnish the ticket, which is de facto proof that you have the right to be where you’re trying to get into.
Consider for a moment a driver’s license. In many countries, a driver’s license proves both that you are who you say you are via a picture or other certified element, and then goes further to prove that you have a right to drive the vehicle class you’re driving.
In such a case, we have authentication and authorization. And in many API solutions, we have systems that give a piece of code that both authenticates the user and proves their authorization. In such a case, we have hybrid solutions.
What are the Methods of API Keys Authentication?
While there are as many proprietary authentication methods as there are systems that utilize them, they are largely variations of a few major approaches.
These approaches almost always were developed to solve limitations in early communications and internet systems, and as such, typically use broad existent architectural approaches with novel implementations in order to allow authentication to occur.
HTTP Basic Authentication,
One solution is that of HTTP Basic Authentication. In this approach, an HTTP user agent simply provides a username and password to prove their authentication. This approach does not require cookies, session IDs, login pages, and other such specialty solutions, and because it uses the HTTP header itself, there’s no need for handshakes or other complex response systems.
Secure Socket Layer Encryption,
The problem is that, unless the process is strictly enforced throughout the entire data cycle to SSL for security, the authentication is transmitted in open on insecure lines. This lends itself to a man in the middle attacks, where a user can simply capture the login data and authenticate via a copy-cat HTTP header attached to a malicious packet.
Additionally, even if SSL is enforced, this results in a slowing of the response time. And even ignoring that, in its base form, HTTP is not encrypted in any way. It is encapsulated in base64 and is often erroneously proclaimed as encrypted due to this.
HTTP Basic Authentication does have its place. For instance, in an internal network, especially in IoT situations where speed is of no essence, having an HTTP Basic Authentication system is acceptable. Particularly, as a balance between the cost of implementation and actual function.
As a general authentication solution, however, HTTP Basic Authentication should be seldom used in its base form.
Generally speaking, OAuth is a bit of a strange beast. Not only is OAuth an authentication method, but it also a method of both authentication and authorization. When OAuth is used solely for authentication, it is what is referred to as “pseudo-authentication.” In this approach, the user logs into a system. That system will then request authentication, usually in the form of a token.
This is fundamentally a much more secure and powerful system than the other approaches. Largely because it allows for the soft establishment of scope. That is, what systems the key allows the user to authenticate to and validity.
Meaning the key doesn’t have to be purposely revoked by the system, it will automatically become deprecated in time. As with anything, there are some major pros and cons to this approach. On one hand, it’s clearly superior when it comes to the level of security it can offer, and for this reason, OAuth is quickly becoming the de facto choice for anyone choosing to eschew API keys.
On the other hand, using OAuth for authentication alone is ignoring everything else that OAuth has to offer – it would be like driving a Ferrari as an everyday driver, and never exceeding the residential speed limits. Those caveats in mind, OAuth is easy to set up, and it is incredibly fast.
What are the Basic types of API Keys?
In CARTO, you can find 3 types of API Keys:
- Default public
1. Regular APIs
Notably, Regular API Keys are the most common type of API Keys. They provide access to APIs and database tables (aka Datasets) in a granular and flexible manner.
For example, one API key can provide access to;
- SQL API.
- A World_Population dataset with select permission.
- Most Liked_Cities dataset with select/insert permissions.
With this API Key, you can access the SQL API but not the Maps API. You also can run a
SELECT SQLquery to the dataset of the
World_Population. But not an,
DELETE or even
INSERT Nevertheless, you can run an to
INSERT the list of the
Liked_Citiesdataset. Access to the dataset is
It’s also possible to create as many regular API Keys as you want. Moreover, to enforce security, we encourage you to create as many regular API Keys as apps/maps you produce.
On one hand, an important property to keep in mind about regular API Keys is that they are not editable. You can not add/delete datasets nor APIs. On the other hand, another important property of Regular API keys is that they inherit all the Datasets permissions from the Default Public API Key.
2. Default Public APIs
Surprisingly, the Default Public is a kind of regular API Keys. They too provide access to APIs and Datasets, but for the latter in a read-only way. Every user has one and only one Default Public API Key. That means that on user creation a Default API Key is issued for that user and that these type of keys are not revocable/deletable.
For example, one Default Public API Key can provide access to;
- SQL API
- Maps API
- a World_Population dataset with reading permission
- the Liked_Cities dataset with reading permission
A cosmetic difference compared to the other API Key types is the code/token that identifies these API Keys. Whereas, it’s just the default_public. Not to mention, it’s a simple human-readable constant string, no randoms involved.
3. Master APIs
In general, Master keys are a very special kind of API Keys. As it happens with the Default Public type, every user has one and only one Master non-revocable API Key.
The special thing about Master API Keys is that they grant access to almost everything. Such as the APIs and Datasets (select/insert/create/delete). Your Master API key carries many privileges, so be sure to keep it secret. Do not share it in publicly accessible areas such as GitHub or client-side code.
Actually, you should use Master API Keys sparingly. Try to limit its direct use only to interact programmatically with the Auth API. Issue and use regular API Keys for the rest of use cases.
Why and When are API Keys used?
API keys are for projects, authentication is for users
Google Cloud Endpoints handles both API keys and authentication schemes (such as Firebase or Auth0). The main distinction between these two is:
- API keys identify the calling project — the app or site — making the call to an API
- Auth tokens identify a user — the person — that is using the app or site
API keys provide project authorization
To decide which scheme is most appropriate, it is important to understand what API keys and authentication can provide.
API keys Provide?
- Identification — Identify the app or the project that’s making a call to this API
- Authorization — Check whether the calling app has been granted access to call the API and has enabled the API in their project
API keys are not as secure as auth tokens (see Security of API Keys), but they identify the app or project that’s calling an API. Moreover, by identifying the calling project, API keys enable usage information to be associated with that project. And also, they allow the Extensible Service Proxy (ESP)to reject calls from projects that haven’t been granted access or enabled the API.
Authentication of Users
By contrast, authentication schemes typically serve two purposes. Such as;
- Authentication — Securely verify that the calling user is who they claim to be
- Authorization — Check whether the user should have access to make this request
Authentication schemes provide a secure way of identifying the calling user. Cloud Endpoints also checks the auth token to verify that it has permission to call an API. Based on that authentication, the API server will decide on authorizing a request. If you need the ability to identify the user making the call, see Authenticating Users.
While API keys identify the calling project, they do not identify the calling user. For instance, if you have created an app that is calling an API, an API key would identify the app that is making the call, but not the identity of the person who is using the app. If you need a more secure way to limit which projects or services can call your API, see Authentication Between Services.
Google API Keys
Important to realize, Google offers dozens of API Keys for web designers and developers. Some are specifically related to popular Google products, like Gmail and Analytics. While others are more specialized and aren’t part of public programs.
Of course, all are free to use. You can view all of the Google API Keys and code tools on their Site Directory. Below are the Googles’ most used API Keys. Including,
General API Keys
- Places API – Google Places is a large directory of local businesses and attractions all around the world. The Places API lets you access that information and display it on your website, as well as display check-ins by users.
- Geocoding API – The Geocoding API lets you convert any address into geographic coordinates, which can then be used to place markers on a map.
- Tasks API – The Tasks API offers endpoints for reading, searching, and updating Google Tasks content and metadata.
- Analytics Management API – The Analytics Management API gives improved access to your Analytics data, and lets you fine-tune your requests to just pull the information and reports you need for your application.
- Directions API – The Directions API lets your users get directions from one point to another using a variety of travel modes from within your site or app, and doesn’t require a Google Maps API Key.
Content API Keys
- Blogger Data API – The Blogger Data API lets your application create and post new blog posts, edit or delete existing posts, and search for posts based on specific criteria.
- Books API – The Google Books API lets you integrate book searches into your application, and embed book previews on your site.
- Calendar API – The Calendar API gives access to many of the standard web interface tools and operations to your web app.
- Moderator API – Google Moderator is a tool for collecting ideas, questions, and recommendations from any size audience. The API allows your website or application to do the same.
- Prediction API – The Prediction API helps you make smarter apps that can analyze historical data and predict future outcomes.
- Google Web Fonts API – The Web Fonts API makes it easy to add free web fonts to your website or application. Their collection of fonts grows on a continuous basis and already includes a huge variety.
Integration API Keys
- Picasa Web Albums Data API – The PWA Data API can be used to create albums and upload, retrieve, or comment on photos, among other features.
- Static Maps API – You don’t always want an interactive map on your site. Sometimes a static map is just what you need. The Static Map API lets you embed static Google Maps onto your site, including custom styled maps.
- YouTube APIs – YouTube has two APIs available: Player APIs and Data API. The Player APIs allow you to have an embedded player or a chromeless player. In particular, that which you can then customize within HTML or Flash. The Data API lets your app perform a lot of the operations available on YouTube. Such as uploading videos and modifying user playlists.
- Webmaster Tools API – The Webmaster Tools API lets your client application use a variety of Webmaster Tools functions, including viewing sites, adding and removing sites, verifying site ownership, and submitting and deleting Sitemaps.
- OpenSocial – OpenSocial can be used for building social applications, creating social app platforms, and sharing and accessing social data.
IBM Cloud API keys
IBM® Cloud API keys are created from the User details page in the IBM Cloud console. For a user and are associated with the user’s identity. Only the user for which the API key is associated with can create and delete it.
You can use the IBM Cloud API keys in the command-line interface (CLI). Or as part of automation to log in as your user identity. For more information about using an API key associated with your user identity, see Managing user API keys.
You can also use IBM Cloud API keys to access classic infrastructure APIs. Especially those that are associated with the service IDs that you created. Service IDs are used to connect an application inside or outside of IBM Cloud to an IBM Cloud service. For more information about creating API keys associated with a service ID, see Managing service ID API keys.
The Yahoo API Keys
Important to realize, like Google, Yahoo! offers a number of APIs useful for developers. All are free to use and can help you integrate a variety of Yahoo!-owned web services into your app, including Flickr and Delicious.
Here are more examples;
The Answers API lets you access the collective knowledge contained within Yahoo! Answers. You can search Answers based on a variety of criteria. Including, the specific user, category, and more. Set your app to watch for new questions in the categories you choose. And also track new answers from specific users.
The Contacts API lets you access relationships in your Yahoo! address book. It reads a user’s Contact information while respecting user privacy and permission settings.
The Delicious API gives read/write access to Delicious bookmarks and tags.
The Fire Eagle API helps you create location-aware websites and applications.
With the Flickr API, you can view, search, and manipulate photo tags, display photos from a specific user or group, and more.
The Local API lets you access location-based information and user-contributed content.
Yahoo! offers a number of APIs for their Maps services. Such as Ajax API, a REST API, and a No Coding API.
The meme is a multimedia light-blogging platform. The API lets you create apps that can read, post, and repost content through Meme.
The PlaceFinder API, similar to Google’s GeoCoding API, and lets you convert a street address into geographic coordinates.
Additional API Keys,
Generally speaking, Yahoo! and Google aren’t the only ones offering powerful APIs for designers and developers.
A number of social media sites and others have their own API(s), including Twitter, Facebook, Yelp, Bit.ly, and many more.
Twitter has a host of developer tools surrounding their API that let you create apps that interact with virtually any of Twitter’s functions.
Facebook offers APIs for working with Credits, Ads, Chat, and more. Also found here is the Graph API, which is the backbone of the Facebook Platform. And enables your app to read and write data to Facebook.
Awe.sm offers a number of developer APIs for integrating their social media campaign tracking tools into your app or website.
The Foursquare APIs not only allows you to create apps that interact with the Foursquare service. But also to use Foursquare’s place-related database as a standalone service.
Ning offers a set of APIs for developing desktop and mobile apps, custom network features, profile apps, and data importers.
Soundcloud APIs include tools for sharing, streaming, and customizing the Soundcloud player for your website.
The Social Mention API provides a stream of real-time search data from a number of social media services. In general, for integration into other applications. It’s free for personal and non-commercial use.
The Opus Social Media API can serve as a basis for developing a social networking and digital media site or app.
Digg offers an API that lets you access their newsfeeds for your own sites and applications.
The Yelp API lets you access business listing info, business ratings, and review excerpts from Yelp in your application or website.
Real estate site Zillow offers APIs that give access to neighborhood information that can be integrated into other applications. (They also offer a number of other APIs, including postings, property details, home valuations, and more.)
The Tropo API adds Twitter, IM, voice and SMS functionality to a variety of common programming languages. Development is free, though sending messages varies in price (with Twitter and IM messages currently free).
Bit.ly offers an API for integrating URL shortening into your app or site.
Security of API keys
“A good defense is the best offense.” Someone once said that. Well, that’s partly true in Android when it comes to storing API keys and protecting them against hackers. You need to keep your API keys private and secure for multiple reasons.
If a hacker gains access to your API key, they could:
- make API calls and which could tremendously increase your billing costs, and/or
- use it to disrupt your users’ data.
In reality, API keys are generally not generally that secure. Since they are typically accessible to clients. Making it easy for someone to steal an API key.
While under the restrictions you can set on an API Key to mitigating this. Hence, there are better approaches for authorization. For example, see Authenticating Users.
Benefits of API Keys include;
- an API may restrict some or all of its methods to require API keys. It makes sense to do this if you:
- do want to block anonymous traffic. Whereas, API keys identify an app’s traffic for the API producer. And in case the app developer needs to work with the API producer. Especially in order to debug an issue or show their app’s usage.
- want to be able to control the number of calls made to your API.
- need to identify usage patterns in your API’s traffic. You can see app usage in APIs & services.
- request the ability to filter logs by API key.
API keys Limitations include:
- Identifying individual users — API keys don’t identify users, they identify projects.
- Secure authorization.
- Identifying the creators of a project.
Note also that Service Infrastructure does not provide a method to directly look up projects from API Keys.
Important to realize, API keys are not as secure as auth tokens (see Security of API Keys). But, they identify the app or project that’s calling an API.
API keys are important elements to both website designers and users. To learn more about how to set up and use API keys access, see Restricting Access with API Keys.
In other words, your API Key and Secret Key are confidential to you and the host. Meaning, it is important to keep both keys confidential to protect your account.
To create additional API Keys, simply go to your API Key Management page on the Host account. Such as Google, Shopify, Themeforest, Carto, etc.
I hope the above-revised guide was useful to you. But if you’ll have some additional contributions and questions, please Contact Us.
Below you’ll find more useful and related to the topic links;
- The jmexclusives: Cloud Computing and Technology
- Wikipedia: Application Programming Interface Key
- Web Designer Depot: 40 Useful APIs for Web Designers and Developers
- Google API Keys: Why and When to Use the Keys
- Carto: The main types of API Key
- ServiceStack: API Key Auth Provider
- NordiCapis: 3 Common Methods of API Authentication Explained
- Credentials, access, security, and identity