Distribution and use of API keys for web applications

Question

Distribution and use of API keys for web applications

I have a web application for which I am creating a Drupal module that allows my clients to access certain data in my application.

I intend to distribute secret API keys to my clients who need to enter this value in their copy of the Drupal module. This Drupal module then navigates to my web application, but I need to make sure that the POST requests really come from this source.

How this secret key can be used to transfer some information that, when my application receives it, it knows:

(a) its from that client server.
(b) it hasnt been eavesdropped on / copied and used by someone else?

Should I use this API key as a password to encrypt some data that matches the rest of the POST request? Having received it, I decrypt it using my copy of my API key, and if it matches the rest of the data, I believe that it is verified?

Is there any staffing that does this for me? Is there something inside Zend?

+3

security php web-applications api-key

siliconpi Mar 11 '11 at 14:08

source share

1 answer

Zed · Accepted Answer · 2011-03-11T14:13:26+0000

Use HTTPS and just send the API key to the request. It's simple.

If you use HTTP, you are going to reinvent the wheel.

Update:

Here is the update after reading the comments, because in the question you did not explain that you want to pass the API keys to website visitors (in this case, you will be screwed no matter what you do).

juanpaco , ( , , ), .

, API -. API API.

:

// .
, HTML-, , - API, ( HTTPS, - ).
.
API ( HTTPS).
API .
.

API .

API, , , , API .

-, , . API , . - . , , , .

( juanpaco , ).

Distribution and use of API keys for web applications

Update:

More articles: