Why use an API key and secret?

EsTeGe picture EsTeGe · Jul 19, 2012 · Viewed 43.9k times · Source

I came across many APIs that give the user both an API key and a secret. But my question is: what is the difference between both?

In my eyes, one key can be enough. Say I have a key and only I and the server know it. I create a HMAC hash with this key and do an API call. On the server, we create the HMAC hash again and compare it with the sent hash. If it's the same, the call is authenticated.

So why use two keys?

Edit: or is that API key used to lookup the API secret?

Answer

Marcus Adams picture Marcus Adams · Jul 19, 2012

You need two separate keys, one that tells them who you are, and the other one that proves you are who you say you are.

The "key" is your user ID, and the "secret" is your password. They just use the "key" and "secret" terms because that's how they've implemented it.