Loading ...
Sorry, an error occurred while loading the content.

19183Re: [rest-discuss] API Keys

Expand Messages
  • Jan Algermissen
    Nov 29, 2012
    • 0 Attachment
      Hi Erlend,

      On Nov 29, 2012, at 12:26 PM, Erlend Hamnaberg <ngarthl@...> wrote:

      > Hi.
      >
      >
      > Is there anyone with experiences with implementing API Keys in their apis?

      If you are looking for something along the lines of OAuth Client identifiers, you should take a look at OAuth 1 and 2 and the associated discussions.

      Eran IMO is the go-to guy in that space and you should get much out of his blog

      http://hueniverse.com

      and recent projects

      https://github.com/hueniverse/oz

      https://github.com/hueniverse/hawk (The README should provide a very good start).

      Looking at Amazon IAM, as already suggested, is also good:

      http://aws.amazon.com/documentation/iam/

      Here are good intro docs from Google:

      https://developers.google.com/accounts/docs/OAuth2

      Personally, I am most excited about OZ, because Eran's OAuth 2 criticism looks very valid when you dig into it.


      HTH
      Jan


      >
      > Putting the APIKey in the URI is obviously a bad idea as that leaks to every cache and intermediary. Including Apache logs.
      >
      > So it must be a new header field.
      >
      > The problem with APIKeys as such is that they are spoofable, unless they are crypographically protected somehow, so my question is:
      >
      > What do you do in your api?
      >
      >
      > --
      > Erlend
      >
      >
      > ps:
      > I am thinking about writing up an internet draft for a new Api-Key header field.
      >
      >
    • Show all 7 messages in this topic