19183Re: [rest-discuss] API Keys
- Nov 29, 2012Hi Erlend,
On Nov 29, 2012, at 12:26 PM, Erlend Hamnaberg <ngarthl@...> wrote:
> Is there anyone with experiences with implementing API Keys in their apis?
If you are looking for something along the lines of OAuth Client identifiers, you should take a look at OAuth 1 and 2 and the associated discussions.
Eran IMO is the go-to guy in that space and you should get much out of his blog
and recent projects
https://github.com/hueniverse/hawk (The README should provide a very good start).
Looking at Amazon IAM, as already suggested, is also good:
Here are good intro docs from Google:
Personally, I am most excited about OZ, because Eran's OAuth 2 criticism looks very valid when you dig into it.
> Putting the APIKey in the URI is obviously a bad idea as that leaks to every cache and intermediary. Including Apache logs.
> So it must be a new header field.
> The problem with APIKeys as such is that they are spoofable, unless they are crypographically protected somehow, so my question is:
> What do you do in your api?
> I am thinking about writing up an internet draft for a new Api-Key header field.
- << Previous post in topic Next post in topic >>