What is an API Key?
When an API (Application Programming Interface) endpoint offers its services to a user via HTTP, it is said to be "exposed" to API requests. This means traffic can flow in or out of the API endpoints, including potentially malicious traffic. API authentication protects the user and the API developers from data loss, service outages, or plain foolishness. It also allows developers to know what endpoints are most trafficked by API calls, and throttle potential problem users who are making too many requests.
At its root, API authentication is about keys. You ask for a key, and the owner grants you an authentication token, or key. Your key is a long, unique string of numbers and letters. Once you have an API key, you are allowed to use the API, the owner also knows who you are and what you are doing in their API.
How Do I Get an API Key?
Getting a new API key is similar to signing up for any other service. We will use the Abstract API as an example. Go to the Abstract API and select **Create Your Free Account**. Enter your information and select **Sign Up**. You will receive a confirmation email after authenticating, with a link to your Abstract API dashboard. Navigate to any of the APIs listed, for example, the **Exchange Rates** API. This page displays your unique identifier for this specific API key, and has a host of console options for testing it out.
Testing Your New Token
You can test this API key in two ways:
- A quick cURL request in your terminal: `curl 'https://exchange-rates.abstractapi.com/v1/live/?api_key={YOUR API KEY}&base=USD&target=EUR'`
- Use the in-browser Abstract API console to test your new API with your new credentials.
API Key
API authentication is based on an exchange of keys between the user and the API. The user applies for a key via email or an authentication service. They will get a public auth key and a private auth key. The public key is to be used in request headers and URLs (where they will be visible), and a private key, to be used in server-to-server communication. Some more secure methods of API keys are available:
- HMAC - HMAC stands for "hash-based message authorization code". It's more secure than a regular API key, but requires significantly more effort to set up.
- OAUTH - OAuth is a server-based authentication service. The authentication code is obtained by using an authentication API server as an intermediary between the client and resource owner. This approach is more secure than an API key because the client is authenticated and the access token is transmitted directly to the client.
Conclusion
The API key exchange is one of the cornerstones of API development. It's an interesting solution to the problem that was faced in web development of API security and password anti-patterns. Basically, ask for your key, receive your key, and get to work!