API Security and Keys?

[mds1256]

Hi

 

I have a question about API keys and security.

 

I am building a mobile app (learning) and will be using a PHP/MySQL JSON Rest API (designed myself) and I am new to APIs in general so some best practices would be appreciated if you have any?

 

My real question is to do with securing these APIs. For example I was thinking of using user name and password that the user logs into the application with to be send over HTTPS for each request to validate the user is authorised and authenticated.

 

However I have read that I should also be using API keys, so how would I integrate this in?

 

Would each user have their own unique API key or would each system that uses this API have a unique key?

 

If its each user that has their own key would I send all three pieces of data with the request (API Key, username and password).

 

Any advice would be great.

 

Thanks

[requinix]

Access keys only work if you can assign them to each endpoint. You could do that for a mobile app, but that's not the best way to go about it.

 

Access tokens would be more appropriate. Rather than send the login information for every request, requiring that you hold onto that information the whole time the user is on the app, you only log them in once. The server then returns a temporary token that can be used for subsequent requests in lieu of the credentials; it's time-restricted so the token doesn't last forever, and to keep the app working without requiring a login every 5 minutes you add to the API something which can generate a new token if requested (which the app would do when the token is close to expiring).