Huy's Notes
The point of API Keys

The point of API Keys

#security #API-design #system-design

Are often used in public APIs, to mitigate risk, sometimes, for monetize purpose.

Consider a public API service, if we have no control over API clients, we would let the service open to the internet and make it an easy target for denial-of-service attack.

If we identify the consumers by issue an API key for each one, it will be more easy to revoke the key of any consumer that make high-frequency calls.

But, since API Keys are exposed to the public by third party, it's very easy to be compromised, so do not rely on API Keys for sensitive data or authorization.

API Keys should not be exposed in the URL, instead, send them via the request's headers.

Referred in


If you think this note resonated, be it positive or negative, please feel free to send me an email and we can talk.