Implementing API keys for my API

java javascript spring node.js api-key
LuckyLuke picture LuckyLuke · Jan 4, 2013 · Viewed 8.3k times · Source

I have created an api and I want to have some control over who uses it, how often etc. I want to have an API key strategy so that the users must provide the key in order to use the API. However i don't know how to implement it. The users are registered with username and password. What i thought of was to assign a UUID when the user logs in and store it in a table in the database. Then each request includes this uuid and it is checked on each request at the server.

However this does not seem right. Could someone explain the steps in order to create an api key like, dropbox, twitter, facebook etc. does? I want to try to implement this myself.

Answer

Kristian picture Kristian · Jan 4, 2013

Could someone explain the steps in order to create a api key like, dropbox, twitter, facebook etc. does? I want to try implement this myself.

Generating The API Key

  1. choose some encryption / decryption method you'd like to use
  2. choose a salt that you will add to the data before encryption
  3. decide what data you want inside the encrypted string: timestamp, Uid, roles, etc. The timestamp is the most useful part of this, because using the timestamp, you can restrict requests that come from a key older than some time, thus requiring a new key to be generated.
  4. bundle it in something you can parse later once decrypted. Some people use json objects, some do char-delimited strings

Note: if you don't want it to be a decryptable key, as in, it is hashed and thus infinitely more difficult to crack, then you can simply follow this stratgey: make a set of steps to form your unhashed data string: sha1("some-secret"."some-other-bit-of-info"."etc"."etc") and then the API consumer has the onus on them to generate their own key. Thus, they have access only if they have the necessary parts / info needed to construct it.

Consuming the API

Take Stripe's API as a decent example:

  1. make authorization request: an API key is returned. "curl uses the -u flag to pass basic auth credentials (adding a colon after your API key will prevent it from asking you for a password)." --Stripe Docs

  2. send that key along with all further requests.

Related questions

Spring JSON request getting 406 (not Acceptable)

this is my javascript: function getWeather() { $.getJSON('getTemperature/' + $('.data option:selected').val(), null, function(data) { alert('Success'); }); } this is my controller: @RequestMapping(value="/getTemperature/{id}", headers="Accept=*/*", method = RequestMethod.GET) @ResponseBody public Weather getTemparature(@PathVariable("id") Integer id){ …

Read More
JSR 303 Bean Validation + Javascript Client-Side Validation

What is the best way to perform client-side form validation using Javascript (with minimal code duplication) when using JSR 303 bean validation on the server side? I'm currently using Spring 3 and the Hibernate Validator.

Read More
how to push the data to the jsp with out requesting it for every 2 seconds?

I want to push the data to the jsp for every 2 seconds, with out client requesting it. I am using Spring with Hibernate here. I am displaying google maps marker, and I want to update the marker location for every 2 …

Read More