Jump to content
Sign in to follow this  
mds1256

API Security and Keys?

Recommended Posts

Hi

 

I have a question about API keys and security.

 

I am building a mobile app (learning) and will be using a PHP/MySQL JSON Rest API (designed myself) and I am new to APIs in general so some best practices would be appreciated if you have any?

 

My real question is to do with securing these APIs. For example I was thinking of using user name and password that the user logs into the application with to be send over HTTPS for each request to validate the user is authorised and authenticated.

 

However I have read that I should also be using API keys, so how would I integrate this in?

 

Would each user have their own unique API key or would each system that uses this API have a unique key?

 

If its each user that has their own key would I send all three pieces of data with the request (API Key, username and password).

 

Any advice would be great.

 

Thanks

Share this post


Link to post
Share on other sites

Access keys only work if you can assign them to each endpoint. You could do that for a mobile app, but that's not the best way to go about it.

 

Access tokens would be more appropriate. Rather than send the login information for every request, requiring that you hold onto that information the whole time the user is on the app, you only log them in once. The server then returns a temporary token that can be used for subsequent requests in lieu of the credentials; it's time-restricted so the token doesn't last forever, and to keep the app working without requiring a login every 5 minutes you add to the API something which can generate a new token if requested (which the app would do when the token is close to expiring).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.