What is an API Key?
Application programming interfaces (APIs) are a double-edged sword.
They accelerate your development process with reusable data and functionalities. But the API endpoints you use exposes your project to cyberattacks, information misuse, and application downtime risks.
These best practices for API keys will help you avoid the most prevalent API security risks.
How Do API Keys Work?
API keys are unique pieces of identifying code that get issued by an API creator to authenticate projects that make API calls.
Each API key has its own set of API resource access permissions. They are generated and used when:
- Projects that want to access API resources request an API key
- The API owner creates and shares a unique API key for a requesting project
- Registered projects use their unique key whenever they need to access API resources
API owners check the requesting client's HTTP header for a valid API key. This authentication process helps APIs to reject all requests that don't have a valid API key. In turn, authentication significantly reduces the number of unwanted malicious requests and anonymous calls.
API keys can also verify if a particular API call has the necessary permissions to use the resources it needs. For instance, let's say the API key of a user informs the API owner that it only has read permissions. In this case, any attempt by this user to write records on the API server will get nullified. This, in turn, reduces the chances of the API misbehaving due to unauthorized edits.
API Keys Block Anonymous Traffic and Restrict API Calls
To avoid anonymous traffic, API owners can reject API calls that don't have a valid API key. By blocking anonymous API requests, API owners narrow down the scope of a cyberattack and minimize the chances of API downtime.
API keys can also be used to rate limit the number of API resource requests a registered user can make. When you set resource consumption limits for each API key, you prevent resource starvation attacks that eventually lead to distributed denial-of-service (DDoS) attacks. For instance, rate limiting all API keys to 100 requests per second will automatically throttle an API call for 10,000 requests per second.
API owners can also use keys to understand the API usage patterns of all registered users. This inspection can surface malicious activity. The API owner can also filter API activities and map them against the API keys that called for it --- allowing for greater visibility into potential cyberattacks.
API Keys, Along With Authentication Tokens, Improve Security
API keys can't authenticate the identity of individual users or authorize resource access permissions at the user level. For better security, API keys need to be combined with individual user authentication methods.
API keys provide an added layer of security, but this alone isn't enough to ward off bad actors because:
- API keys can be used for project authorization, but they can't be used to authenticate individual users. They also have limited use when it comes to user authorization.
- API keys must be stored securely. Bad actors can gain access to an API key if a project stores or uses the key publicly. API owners won't know when an API key gets compromised.
- API keys don't have an expiration date unless it gets deactivated or replaced with a new key. So, bad actors that have access to an API key can repeatedly use it for malicious purposes.
So, in addition to using API keys, resource owners also need to authenticate and authorize individual users using JSON tokens or the OAuth 2.0 protocol. Both of these methods use secure tokens to verify the identity of an individual user and validate their permissions.
5 Best Practices for Using API Keys Effectively
Ensure that your API key doesn't fall into the wrong hands by following these best practices:
1. Store Your API Keys Securely
Never store your API keys on your client-side app, front-end interface, or Android or iOS mobile app. If possible, store your API keys along with other sensitive information on a separate server or a secure vault. Isolating your API keys this way creates an added layer of authentication that is bound to deter bad actors.
2. Don't Embed Your API Keys in Code or URLs
Embedding API keys in your source code or URLs as plain text allows unauthorized users to access them. Storing your API keys inside environment variables or config files is a safer option because bad actors won't be able to access them without additional hacking efforts.
3. Rotate Your API Keys Periodically
It is recommended that you rotate API keys every 90 to 180 days. This minimizes the time window in which bad actors can misuse your API keys.
4. Restrict How Your API Keys Can Be Used
For additional safety, define which IP addresses, URLs, and apps can use your API keys. Also, restrict which set of APIs a particular key can access. This limits API requests from your key to only locations and applications that are known to you.
5. Delete Unused API Keys
Delete API keys that are no longer required. This prevents your unmonitored keys from being misused.
Use Secure Third-Party APIs To Create Delightful User Experiences
In addition to your core offering, you may need other generic features such as chat, weather, or payments. While these features elevate the user experience, they are not the best use of your engineering resources.
SaaS products offer these features your users expect without additional engineering effort. But their cookie-cutter solutions don't offer the flexibility or customization that your business needs.
Reusing external APIs in your product offers a viable alternative to this build vs. buy dilemma. Say, for instance, your product team needs an interactive chat feature. Instead of building the chat feature from scratch or buying a ready-made solution like Drift or Intercom, you can opt to use a chat API.
The key benefits of using a chat API include:
- A customized chat UI that matches your core offering
- Customizable workflows to solve your unique business needs
- Less expensive than building it in-house or using a ready-made product
- A secure REST API that uses API keys and JSON tokens to prevent cyberattacks
- API documentation that allows your engineers to quickly identify and resolve bugs