Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have noticed that some API have you pass an API key as a url parameter while others have you pass it in the HTTP HEADER. I am developing a web-based application that is going to rely heavily on a REST API and right now I am just having it so the API KEY is pass through as a url parameter.
My question is whether or not one of those options is more secure than the other?
In both cases, the API key will be passed unencrypted. So both are insecure unless you use HTTPS.
In practice, HTTP header turns out to be a little bit more secure because –
Aside : A REST API over the web cannot be secured unless you ask the user to login with his credentials. Anybody can easily identify the API key and make requests to your server.
EDIT :
In response to @segfault’s comments –
A website user generally does not enter an API key. They enter their user name and password, and this is traded to get the API key or access token as it is typically called.
If you force your users to enter the API key instead of user name and password, well, it’d be secure. But as I said, I haven’t seen any serious application do that.
More specifically, I meant “If a backend API expects an API key, and you are making AJAX calls from the browser, and you don’t ask the user for some sort of credentials, you are insecure”