Why use an API key and secret?

api security authentication api-key secret-key
EsTeGe picture EsTeGe · Jul 19, 2012 · Viewed 43.9k times · Source

I came across many APIs that give the user both an API key and a secret. But my question is: what is the difference between both?

In my eyes, one key can be enough. Say I have a key and only I and the server know it. I create a HMAC hash with this key and do an API call. On the server, we create the HMAC hash again and compare it with the sent hash. If it's the same, the call is authenticated.

So why use two keys?

Edit: or is that API key used to lookup the API secret?

Answer

Marcus Adams picture Marcus Adams · Jul 19, 2012

You need two separate keys, one that tells them who you are, and the other one that proves you are who you say you are.

The "key" is your user ID, and the "secret" is your password. They just use the "key" and "secret" terms because that's how they've implemented it.

Related questions

JWT (JSON Web Token) automatic prolongation of expiration

I would like to implement JWT-based authentication to our new REST API. But since the expiration is set in the token, is it possible to automatically prolong it? I don't want users to need to sign in after every X …

Read More
Securing an API: SSL & HTTP Basic Authentication vs Signature

When designing an API for our web app, we'll use the their subdomain as the 'username' and generate an API key/shared secret. Firstly, is it ok to use the subdomain as the username? I don't see the benefit of …

Read More
What is an API key?

I see this word in almost every cross service application these days. What exactly is an API key and what are its uses? Also, what is the difference between public and private API keys.

Read More