Loading ...
Sorry, an error occurred while loading the content.

19183Re: [rest-discuss] API Keys

Expand Messages
  • Jan Algermissen
    Nov 29, 2012
      Hi Erlend,

      On Nov 29, 2012, at 12:26 PM, Erlend Hamnaberg <ngarthl@...> wrote:

      > Hi.
      > Is there anyone with experiences with implementing API Keys in their apis?

      If you are looking for something along the lines of OAuth Client identifiers, you should take a look at OAuth 1 and 2 and the associated discussions.

      Eran IMO is the go-to guy in that space and you should get much out of his blog


      and recent projects


      https://github.com/hueniverse/hawk (The README should provide a very good start).

      Looking at Amazon IAM, as already suggested, is also good:


      Here are good intro docs from Google:


      Personally, I am most excited about OZ, because Eran's OAuth 2 criticism looks very valid when you dig into it.


      > Putting the APIKey in the URI is obviously a bad idea as that leaks to every cache and intermediary. Including Apache logs.
      > So it must be a new header field.
      > The problem with APIKeys as such is that they are spoofable, unless they are crypographically protected somehow, so my question is:
      > What do you do in your api?
      > --
      > Erlend
      > ps:
      > I am thinking about writing up an internet draft for a new Api-Key header field.
    • Show all 7 messages in this topic