A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
Current location:homephp forumphp talk in 2008 yearHow do you manage api keys - page 1
User InfoPosts
How do you manage api keys#1
I(m looking at building an API and was considering oauth for managing access to the api, but what I(m doing is more of a b2b system allowing businesses to access data to incorporate into their sites. I won(t have any b2c at the beginning.

So oauth doesn(t seem like the right tool for me, I(ve been looking for sources regarding building a key based system, but haven(t come across anything.

Is something available out there already?
Is it best to just create a hash of some user submitted data or something like that?

posted date: 2008-12-31 13:04:00


Re: How do you manage api keys#2
I had made out the solution of this problem. click to view my topic...

hope that hepls.

posted date: 2008-12-31 13:04:01


Re: How do you manage api keys#3
I wouldn(t just use user submitted data, as that can create a situation where API keys are guessable. Generally, I take some data that is generated by the user, and then combine it with some data that is relatively unique (ie, current system time) and hash that using SHA-1 or something, perhaps change the representation if I don(t want it to obviously be a SHA-1 hash, and then use that as the key.

posted date: 2008-12-31 13:09:00


Re: How do you manage api keys#4
What you need is just something that uniquely identifies the user... Just use a UUID or maybe a hash of a UUID.Just make sure that this ID is passed over a secure channel, if you are passing it over an insecure channel you may need to implement some method of securing the ID similar to HTTP digest auth.

posted date: 2008-12-31 13:38:00


Re: How do you manage api keys#5
Take a look at almost any Web 2.0 site/service. They all have varying degrees of doing auth and managing API keys. Flickr, Twitter, Github, etc.

posted date: 2008-12-31 14:41:00


Re: How do you manage api keys#6
right, but looking at the services isn't really giving much of an indication on managing keys and auth (not that i can recognize anyway).

posted date: 2008-12-31 15:26:00


Re: How do you manage api keys#7
Depending on requirements, in the world of web api(s, giving your partners/developers an API key (identification) and requiring they sign the calls (authentication) is pretty standard. There are lots of ways to spec signatures. A pretty common one these days is; take all params of the call, a timestamp (+/- 5 min wiggle), a shared secret, and hash it using SHA-1 or MD5 (SHA-1 better). You can either do implement this yourself or find a partner (there are a few) to do it for you.

posted date: 2009-03-10 15:29:00


Re: How do you manage api keys#8
The general approach being suggested here (to use a hash which includes an API key and the current time) are all good - certainly better than including a "password" in the message.However, there is a crypto standard way of doing this "mung" operation called HMAC. Well worth looking at if you want something more standard / robust / safe.Finally there is obviously the "gold standard" from security options - use a digital certificate to sign either all requests (can be computationally expensive) or use to sign an initial request which then generates a limitted use session key (e.g. one API only, with an expiry after 60 minutes).Alternatively you could use 2-way SSL for the transport layer and simply trust that within the application / API.Really depends how secure you want it... :]

posted date: 2010-10-12 02:41:00


select page: « 1 »
Copyright ©2008-2017 www.momige.com, all rights reserved.