samedi 6 février 2021

Are there any legitimaite reasons to use API Keys?

I've been researching the different ways of granting users API access to my application & it seems there's a strong consensus that every user should be given an access token along with an access token secret.

I've looked at several prominent APIs and I still see some of them exclusively relying on API Keys to grant users access to their application.

The structure of the request to server usually looks something like this:

https://api.example.com?api-key=test-data

I did come across this article by Zapier.com which states:

Use API keys if you expect developers to build internal applications that don’t need to access more than a single user’s data.

In my case, users/developers are only going to use their API Key to access their own data. Are there any legitimate reasons why I would still want/need to generate an access token, access token secret and consumer key? Also, it seems one reason of providing the end user an access token is to prevent a malicious user from intercepting someone's API Key (or the access token secret). If this is the case, how would a user hide his access token secret if I don't provide them with an access token (only with API Key)? How would he prevent his access token secret from being read and intercepted by a malicious 3rd party?



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire