API key authentication (2024)

Table of Contents
API key authentication Overview General settings API key settings Advanced settings FAQs

API key authentication

Overview

API keys are supplied by client users and applications calling REST APIs to track and control how the APIs are used (for example, to meter access and prevent abuse or malicious attack). The Authenticate API Key filter enables you to securely authenticate an API key with the API Gateway. API keys include a key ID that identifies the client responsible for the API service request. This key ID is not a secret, and must be included in each request. API keys can also include a confidential secret key used for authentication, which should only be known to the client and to the API service. You can use the Authenticate API Key filter to specify where to find the API key ID and secret key in the request message, and to specify timestamp and expiry options.

An example use case for this filter would be a client accessing a REST API service to invoke specific methods (for example, startVM() or stopVM()). To invoke these methods, you are required to provide your API key ID and secret key to the API Gateway. You can keep the secret key private by sending the request over HTTPS. Alternatively, you can use the secret key to generate an HMAC digital signature. This means that the secret key is not sent in the request, but is inferred instead, because the message must have been signed using the required secret key. When the API service receives the request, it uses the API key ID to look up the corresponding secret key, and uses it to validate the signature and confirm the request sender.

The API Gateway supports the following API key types:

  • Simple API keys including a key ID only. The API key ID is included in all requests to authenticate the client.

  • Amazon Web Services style API keys including a key ID and a secret key, which are used together to securely authenticate the client. The API key ID is included in all requests to identify the client. The secret key is known only to the client and the API Gateway.

For more details on authenticating Amazon Web Services API keys, see

http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html

General settings

Configure the following general settings:

Name:

Enter a suitable name for this filter in your policy.

KPS Alias:

Enter the alias name of the Key Property Store (KPS) used to store the API keys. For more details, see Key Property Store. Defaults to the example ClientRegistry supplied with the API Gateway. For details on storing API keys in the Oracle Client Application Registry, see the API Gateway OAuth User Guide.

Field Containing Secret:

Enter the name of the field in the KPS that contains the secret. Defaults to secretKey.

See Also
How to Get Your Binance API Keys and Use Them [Full Guide]Auth API - How to send api keys — Documentation — CARTOPrivate Key | Binance Academy

API key settings

Configure the following fields on the API Key tab:

Where to find API key:

To specify where to find the API key in the request message, select one of the following options:

  • API key is located in:

    Select one of the following from the list:

    • Query String

    • Header

    • Parameter

    The default option is Query String. Enter the name in the text box. Defaults to KeyId.

  • API key is in Authorization header with format:

    Select one of the following Authorization headers from the list:

    • Amazon AWS s3 Authorization Header - "AWS apiKey + ":" + base64(signature)"

    • HTTP Basic Authentication Header - "Basic base64(apiKey:secret)"

    Defaults to the Amazon AWS s3 Authorization Header.

  • API key can be found using the following selector:

    Enter the selector value that specifies the location of the API key. For details on selectors, see Select configuration values at runtime. Defaults to ${http.client.getCgiArgument("KeyId")}.

Where to find Secret key:

To specify where to find the secret key in the request message, select the Extract Secret setting, and select one of the following options:

  • Secret key is in:

    Select one of the following from the list:

    • Query String

    • Header

    • Parameter

    The default option is Query String. Enter the name in the text box. Defaults to SecretKey.

  • Secret key is in Authorization header with format:

    Select the Authorization header from the list. Defaults to HTTP Basic Authentication Header - "Basic base64(apiKey:secret)".

  • Secret key can be inferred from signature:

    The client can use the secret key to generate a digital signature that is included in the request. When the API Gateway receives the request, it uses the API key ID to identify the client and look up the corresponding secret key in the Oracle Client Application Registry. The secret key is then used to validate the signature and authenticate the client. To specify the signature format, select one of the following from the list:

    • Amazon AWS s3 Authorization Header Authentication - "AWS apiKey + ":" + base64(signature)"

    • Amazon AWS s3 REST Authentication - "?Signature=<base64(signature)> &Expires=<seconds since epoch>&AWSAccessKeyId=<aws-id>"

    Defaults to Amazon AWS s3 Authorization Header Authentication.

  • Secret key can be found using the following selector:

    Enter the selector value that specifies the location of the secret key. For details on selectors, see Select configuration values at runtime. Defaults to ${http.client.getCgiArgument("SecretKey")}.

Authenticate API key and secret:

Select whether to authenticate both the API key ID and the secret key. This means that the client must supply the API key ID and the secret key in the request message. This setting is selected by default.

Advanced settings

Configure the following fields on the Advanced tab:

Validate Timestamp:

Select whether to validate the API key timestamp using the settings specified below. This setting is unselected by default.

Timestamp is located in:

To specify where the timestamp is located in the request message, select one of the following from the list:

  • Header

  • Parameter

  • Query String

The default option is Header. Enter the name in the text box. Defaults to Date.

Timestamp format is:

To specify the timestamp format, select one of the following from the list:

  • Simple Date Format

  • Milliseconds since epoch

  • Seconds since epoch

The default option is Simple Date Format. Enter the format in the text box. Defaults to EEE, dd MMM yyyy HH:mm:ss zzz.

Timestamp Drift +/-:

You can specify a drift time in milliseconds to allow differences in the clock times between the machine on which the API key was generated and the machine on which the API Gateway is running. Defaults to +-60000 milliseconds (one minute).

Validate Expires:

Select whether to validate the API key expiry details using the settings specified below. This setting is unselected by default.

Expires is located in:

To specify the location of the expiry details in the request message, select one of the following from the list:

  • Query String

  • Header

  • Parameter

The default option is Query String. Enter the name in the text box. Defaults to Expires.

Expires format is:

To specify the format of the expiry details, select one of the following from the list:

  • Milliseconds since epoch

  • Seconds since epoch

  • Simple Date Format

The default option is Milliseconds since epoch. Enter the format in the text box.

Timestamp Drift +/-:

You can specify a drift time in milliseconds to allow differences in the clock times between the machine on which the API key was generated and the machine on which the API Gateway is running. Defaults to 60000 milliseconds (one minute).

API key authentication (2024)

FAQs

Is an API key enough security? ›

API keys aren't as secure as authentication tokens (see Security of API keys), but they identify the application or project that's calling an API. They are generated on the project making the call, and you can restrict their use to an environment such as an IP address range, or an Android or iOS app.

Read On
How do I pass API authentication? ›

In API key authentication, the API provider assigns a unique key to each client accessing the API. The client needs to include their API key as part of the request to authenticate themselves. The API key can be included anywhere in the request, such as the header, body, or query parameters.

Discover More Details
How to do API key authentication? ›

Basic Auth and API keys can also be used together. You can pass the API key via Basic Auth as either the username or password. Most implementations pair the API key with a blank value for the unused field (username or password).

Continue Reading
What are the disadvantages of API key? ›

Lack of user context: API keys do not provide user-specific authentication, making it challenging to track and manage individual user access. This limitation can be problematic in scenarios where user-level authorization is required.

See Details
How to secure an API without authentication? ›

API Without Authentication: Risks and Solutions
  1. Implement Strong Authentication Methods.
  2. Enforce Role-Based Access Controls (RBAC)
  3. Implement Multi-Factor Authentication (MFA)
  4. Encrypt Sensitive Data.
  5. Monitor and Log API Activities.
  6. Regularly Update and Patch APIs.
Jan 3, 2024

Find Out More
Is API key authentication better than basic authentication? ›

API key-based authentication provides a more secure and scalable alternative to basic authentication, since the API key can be easily revoked or regenerated if it is compromised, and it allows the API provider to monitor and control access to the API more granularly.

Tell Me More
What is the most secure API authentication method? ›

OAuth 2.0. OAuth 2.0, or Open Authorization, is the industry standard for online authorization. The protocol is designed to let applications securely access resources hosted by other web apps and control access to their resources — all without revealing credentials.

Show Me More
How do I verify my API key? ›

You can set up API key validation for an API by attaching a policy of type Verify API Key. The only required setting for a VerifyAPIKey policy is the expected location of the API key in the client request. The API proxy will check the location that you specify, and extract the API key.

Explore More
How is API key authentication different from OAuth? ›

While the API key mechanism is easy and well understood, OAuth provides an alternative solution, considered more secure and better suitable to support a large number of users. OAuth is a way to separate the Authentication Process from the Access to the Resource and therefore limit the exposure of the credentials.

Continue Reading
What is basic authentication with API key? ›

Basic Authentication using an API Key

A username and password are supplied, separated by a : . It must be prefaced by the string Basic and a space. The username:password string is base64 encoded. When using this authentication method in FusionAuth for an API, the username must be the string apikey in lowercase.

Show Me More

How do I check API authentication? ›

Authentication in REST API

In the case of REST API, authentication takes place by using HTTP requests. The process of authentication is not complicated. A REST request can carry a special header which can be named Authorization header. This header has information like username and password in some particular form.

Read The Full Story
Is OpenAI api not free anymore? ›

OpenAI removed the prior granting of free trial credits to new accounts and stealthfully removed documentation talking about it. The bottom line is that documentation says the Free Plan has access to API, but as occurs - no.

See Details
Can you use OpenAI API without paying? ›

You will need to prepay for credits in order to use the API services, which are billed by the amount of language data used.

Get More Info Here
Is ChatGPT API free now? ›

When you first sign up for the API, you are on the “free tier.” You can think of this as tier zero as each tier after this one is numbered from one through five. The most important number right now is the usage limits. You cannot spend more than $100 a month when you start out with ChatGPT.

Continue Reading
Is it OK to expose an API key? ›

The exposure of API secret keys, which authenticate and authorize requests to your API, to outsiders can jeopardize the security and privacy of your application and have a substantial financial impact - think $17M we discovered via one exposed Stripe token.

View More
Is it safe to share my API key? ›

Keep this key confidential, as it can be misused if shared or stolen. Unauthorized Data Access and System Manipulation: Exposed API keys can lead to serious security risks, such as unauthorized access to sensitive data, system functionalities, and proprietary business information.

View Details
Does API provide security? ›

On the API level, security works by examining the data moving into the API environment. On the application level, API security blocks attempts to make the application malfunction or to allow other users to get inside and steal sensitive information.

See More
Should I restrict my API key? ›

API key restrictions ensure that only your apps and websites can use your keys. For security reasons, we recommend that you add restrictions that specify: Which clients or websites can use your API keys. The Google Cloud APIs that your application can call using your API keys.

Learn More
Top Articles
What Is a Commingled Fund?
Sameer Merchant, CFA on LinkedIn: These are the 10 hardest investment banks to get a job at in the world🌍👇…
Kostner Wingback Bed
How To Fix Epson Printer Error Code 0x9e
Ffxiv Shelfeye Reaver
Blackstone Launchpad Ucf
What are Dietary Reference Intakes?
Z-Track Injection | Definition and Patient Education
Obituary (Binghamton Press & Sun-Bulletin): Tully Area Historical Society
Holly Ranch Aussie Farm
Gameday Red Sox
Pollen Count Los Altos
Lesson 2 Homework 4.1
What to do if your rotary tiller won't start – Oleomac
‘Accused: Guilty Or Innocent?’: A&E Delivering Up-Close Look At Lives Of Those Accused Of Brutal Crimes
Aspen.sprout Forum
272482061
Love In The Air Ep 9 Eng Sub Dailymotion
Union Ironworkers Job Hotline
G Switch Unblocked Tyrone
China’s UberEats - Meituan Dianping, Abandons Bike Sharing And Ride Hailing - Digital Crew
Metro Pcs.near Me
Days Until Oct 8
Empire Visionworks The Crossings Clifton Park Photos
Marion City Wide Garage Sale 2023
Craigslist Apartments Baltimore
Reicks View Farms Grain Bids
Local Collector Buying Old Motorcycles Z1 KZ900 KZ 900 KZ1000 Kawasaki - wanted - by dealer - sale - craigslist
Studentvue Calexico
Miller Plonka Obituaries
47 Orchid Varieties: Different Types of Orchids (With Pictures)
Adecco Check Stubs
Bee And Willow Bar Cart
Greencastle Railcam
Baywatch 2017 123Movies
Frank 26 Forum
Craigslist Pets Huntsville Alabama
Gpa Calculator Georgia Tech
Housing Intranet Unt
Lake Andes Buy Sell Trade
Mbfs Com Login
Blackwolf Run Pro Shop
Blow Dry Bar Boynton Beach
Craigslist Binghamton Cars And Trucks By Owner
Oakley Rae (Social Media Star) – Bio, Net Worth, Career, Age, Height, And More
Movie Hax
Sky Dental Cartersville
Ewwwww Gif
Is My Sister Toxic Quiz
M Life Insider
Www Extramovies Com
Latest Posts
What Would Happen if You Disabled Chrome on Android?
Companies That Use Oracle - Oracle Customers List
Article information

Author: Kareem Mueller DO

Last Updated:

Views: 6244

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Kareem Mueller DO

Birthday: 1997-01-04

Address: Apt. 156 12935 Runolfsdottir Mission, Greenfort, MN 74384-6749

Phone: +16704982844747

Job: Corporate Administration Planner

Hobby: Mountain biking, Jewelry making, Stone skipping, Lacemaking, Knife making, Scrapbooking, Letterboxing

Introduction: My name is Kareem Mueller DO, I am a vivacious, super, thoughtful, excited, handsome, beautiful, combative person who loves writing and wants to share my knowledge and understanding with you.