#security #API-design #system-design
Are often used in public APIs, to mitigate risk, sometimes, for monetize purpose.
Consider a public API service, if we have no control over API clients, we would let the service open to the internet and make it an easy target for denial-of-service attack.
If we identify the consumers by issue an API key for each one, it will be more easy to revoke the key of any consumer that make high-frequency calls.
But, since API Keys are exposed to the public by third party, it's very easy to be compromised, so do not rely on API Keys for sensitive data or authorization.
API Keys should not be exposed in the URL, instead, send them via the request's headers.
Welcome! Look like you've found my personal notebook. This is the place where you can take a peek into my mind to see what I've been…
If you think this note resonated, be it positive or negative, please feel free to send me an email and we can talk.