Place API key in Headers or URL

Thomas Ahle picture Thomas Ahle · Apr 1, 2011 · Viewed 124.5k times · Source

I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.

Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.

Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?

Answer

Darrel Miller picture Darrel Miller · Apr 1, 2011

It should be put in the HTTP Authorization header. The spec is here https://tools.ietf.org/html/rfc7235