Passing api keys to rest api

php codeigniter rest api-key
MrFoh picture MrFoh · Dec 19, 2011 · Viewed 45.2k times · Source

Am working with phil sturgeon REST_Controller for codeigniter to create a REST api, so far i've been able to create a simple library for generating api keys for the users. My problem is now sending the api key to the API for each request, how i do this without having to manually send it for every request.

Answer

zombat picture zombat · Dec 19, 2011

You should look into request signing. A great example is Amazon's S3 REST API.

The overview is actually pretty straightforward. The user has two important pieces of information to use your API, a public user id and a private API Key. They send the public id with the request, and use the private key to sign the request. The receiving server looks up the user's key and decides if the signed request is valid. The flow is something like this:

  1. User joins your service and gets a user id (e.g. 123) and an API key.
  2. User wants to make a request to your API service to update their email address, so they need to send a request to your API, perhaps to /user/[email protected].
  3. In order to make it possible to verify the request, the user adds the user id and a signature to the call, so the call becomes /user/[email protected]&userid=123&sig=some_generated_string
  4. The server receives the call, sees that it's from userid=123, and looks up the API key for that user. It then replicates the steps to create the signature from the data, and if the signature matches, the request is valid.

This methodology ensures the API key is never sent as part of the communication.

Take a look at PHP's hash_hmac() function, it's popular for sending signed requests. Generally you get the user to do something like put all the parameters into an array, sort alphabetically, concatenate into a string and then hash_hmac that string to get the sig. In this example you might do:

$sig = hash_hmac("sha256",$params['email'].$params['userid'],$API_KEY)

Then add that $sig onto the REST url as mentioned above.

Related questions

Handling PUT/DELETE arguments in PHP

I am working on my REST client library for CodeIgniter and I am struggling to work out how to send PUT and DELETE arguments in PHP. In a few places I have seen people using the options: $this->option(…

Read More
How to send a post request to the RESTserver api in php-Codeigniter?

I've been trying to make a POST request in my CodeIgniter RestClient controller to insert data in my RestServer, but seems like my POST request is wrong. Here is my RestClient POST request in controller: $method = 'post'; $params = array('patient_…

Read More
GuzzleHttp Hangs When Using Localhost

Here is a simple code snipplet but this just hangs and unresponsive. $httpClient = new GuzzleHttp\Client(); // version 6.x $headers = ['X-API-KEY' => '123456']; $request = $httpClient->request('GET', 'http://localhost:8000/BlogApiV1/BlogApi/blogs/', $headers); $response = $client->send($request, […

Read More