Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This is my first time building an authenticated API and I’m running into a few roadblocks.
How do I securely pass an API key from the remote client’s page to my server (for the user to authenticate connecting his account to the client’s page/app)?
-dylan
In my experience, API Keys are actually used as salt to hashes, and the key itself is not actually passed.
When a client generates a request to the server, it hashes a bunch of stuff together (request time, user_id) + the hash, and the hash is included in the request. On the server side, the same hash is recalculated based by retrieving the key for the server, and following the same steps. If the hash doesn’t match, it means that client making requests to the server doesn’t know 1) the steps to create the hash, and more importantly 2) the API key used as the salt to create the hash. In this way you can determine your client does in fact have the key, and that they know how to authenticate, all without sending the actual API Key.