4

I am building a RESTFul API and wondering what's the best way to do auth? Users will need to authenticate. I know of three ways:

1.) Pass API key in every RESTFul requests:

http://api.mydomain.com/api-key-here/get-users

This is nice because developers can immediately start using the API by simply copying URL string into the browser. Are there any potential security risks though?

2.) Every request passes the API key in the header of the request.

This seems to be more secure, but developers can't make requests via their browser. CURL is required.

3.) oAuth

I must admit I don't know much about it, but seems very popular. My concern is that its a barrier for developers to start using the API. They first must be familiar with oAuth, and have it setup.

Thoughts? Thanks greatly.

Improve this question

2 Answers 2

Reset to default
2

If your concern is burdening developers with a high cost to entry, I suggest basic auth, but running your API over https.

I do this with Diligent Street and it works really well. I use an API Key and couple it with a Secret as the username/password combination for basic auth.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Yeah it will be SSL, but security is somewhat important. How do you use a secret key to couple to a username/password combination? Do users pass both the API key and the secret in every RESTFul request URL?
Yes. I use the API key as the username, and the API secret as the password. It's a very simple method that's easy to implement, and if it's running over SSL, it's harder for anyone to gain access to the credentials.
How do you send the username and passwordk though in the URL? Or do users have to set it in the header?
Users can set it directly in the URL should they choose, it is HTTP basic auth after all, but you shouldn't do it that way. Instead set the appropriate header. Base64 encode it, and pass with the Authorization header.
Thanks for this answer. You've kept me from over-complicating things. :]
0

I have employed the technique found here: Build a RESTful API. This solution uses an MD5 hash of your API ID, API secret and the UNIX Time stamp and passed in the HTTP header. This authentication method is the same used by Mashery’s Authentication.

This link references and contains a full blown starter kit for creating an API that has Auth, Membership and*API Usage Metering* along with a supporting EF database.

As for testing the service you can use RESTClient to execute HTTP calls with custom headers instead of using Curl.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.