Place API key in Headers or URL

rest http url authentication api-key
Thomas Ahle picture Thomas Ahle · Apr 1, 2011 · Viewed 124.5k times · Source

I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.

Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.

Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?

Answer

Darrel Miller picture Darrel Miller · Apr 1, 2011

It should be put in the HTTP Authorization header. The spec is here https://tools.ietf.org/html/rfc7235

Related questions

Recommended date format for REST GET API

What's the recommended timestamp format for a REST GET API like this: http://api.example.com/start_date/{timestamp} I think the actual date format should be ISO 8601 format, such as YYYY-MM-DDThh:mm:ssZ for UTC time. Should we use …

Read More
URL matrix parameters vs. query parameters

I'm wondering whether to use matrix or query parameters in my URLs. I found an older discussion to that topic not satisfying. Examples URL with query params: http://some.where/thing?paramA=1&paramB=6542 URL with matrix params: http://some.…

Read More
Different RESTful representations of the same resource

My application has a resource at /foo. Normally, it is represented by an HTTP response payload like this: {"a": "some text", "b": "some text", "c": "some text", "d": "some text"} The client doesn't always need all four members of this …

Read More