Place API key in Headers or URL

Question

I m designing a public API to my company s data  We want application developers to sign up for an API key so that we can monitor use and overuse   Since the API is REST  my initial thought is to put this key in a custom header  This is how I ve seen Google  Amazon  and Yahoo do it  My boss  on the other hand  thinks the API is easier to use if the key becomes merely a part of the URL  etc   http   api domain tld longapikey1234 resource   I guess there is something to be said for that  but it violates the principle of the URL as a simple address of what you want  and not how or why you want it   Would you find it logical to put the key in the URL  Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data

User · Accepted Answer

It should be put in the HTTP Authorization header   The spec is here https   tools ietf org html rfc7235

User · Answer

I would not put the key in the url  as it does violate this loose  standard  that is REST   However  if you did  I would place it in the  user  portion of the url   eg  http   me example com myresource myid  This way it can also be passed as headers with basic-auth

User · Answer

It is better to use API Key in header  not in URL    URLs are saved in browser s history if it is tried from browser  It is very rare scenario  But problem comes when the backend server logs all URLs  It might expose the API key   In two ways  you can use API Key in header  Basic Authorization   Example from stripe   curl https   api stripe com v1 charges -u sk test BQokikJOvBiI2HlWgH4olfQ2    curl uses the -u flag to pass basic auth credentials  adding a colon after your API key will prevent it from asking you for a password    Custom Header  curl -H  X-API-KEY  6fa741de1bdd1d91830ba  https   api mydomain com v1 users

User · Answer

If you want an argument that might appeal to a boss  Think about what a URL is  URLs are public  People copy and paste them  They share them  they put them on advertisements  Nothing prevents someone  knowingly or not  from mailing that URL around for other people to use  If your API key is in that URL  everybody has it

User · Answer

passing api key in parameters makes it difficult for clients to keep their APIkeys secret  they tend to leak keys on a regular basis   A better approach is to pass it in header of request url you can set user-key header in your code   For testing your request Url you can use Postman app in google chrome by setting user-key header to your api-key

[rest] Place API key in Headers or URL

Examples related to rest

Examples related to http

Examples related to url

Examples related to authentication

Examples related to api-key