<script type="application/ld+json">
{
 "@context": "https://schema.org",
 "@type": "FAQPage",
 "mainEntity": [{
   "@type": "Question",
   "name": "What are API keys?",
   "acceptedAnswer": {
     "@type": "Answer",
     "text": "Application Programming Interface keys (API keys)  are unique codes that are passed to APIs to identify the applications, users, or developers that are making calls. They can be used to control and track how the API is being used and prevent it from being abused. Your API key can be used as a unique identifier as well as a secret token for authentication."
   }
 },{
   "@type": "Question",
   "name": "How are API keys different from Authentication tokens?",
   "acceptedAnswer": {
     "@type": "Answer",
     "text": "Authentication tokens are used to identify the individual person (user) that is using an application or website. An API key does not provide the same level of security as authorization tokens do, but they are effective at identifying the application or call that is making the API call."
   }
 },{
   "@type": "Question",
   "name": "How can you use API keys?",
   "acceptedAnswer": {
     "@type": "Answer",
     "text": "API keys are primarily used for project identification and project authorization. They can even be used to associate use information with specific projects. API keys can even enable the Extensible Service Proxy (ESP) to reject calls that are made by projects that have not been granted access or which have not been enabled in that specific API."
   }
 },{
   "@type": "Question",
   "name": "How do you get API keys?",
   "acceptedAnswer": {
     "@type": "Answer",
     "text": "1. The process usually involves creating an account with the owner of the application and proceeding to register the project for which you need the key.
2. After that, in most cases, you’ll just have to interact with a console and create the credentials needed to generate an API key.
3. Most keys don’t expire, but sometimes, the application owner requires you to renew your access to the key at fixed intervals."
   }
 },{
   "@type": "Question",
   "name": "Why must API keys be kept private?",
   "acceptedAnswer": {
     "@type": "Answer",
     "text": "If the API key is used to enforce rate limiting and an unauthorized person uses your API key, you might be denied service because they went over the limit. And if you are using a paid API, this may even result in you incurring additional charges if unauthorized people use your key."
   }
 },{
   "@type": "Question",
   "name": "How to keep your API key secure?",
   "acceptedAnswer": {
     "@type": "Answer",
     "text": "1. Don’t directly embed your API keys in code.
2. Avoid storing API keys in files within an application's source tree.
3. Get rid of unnecessary API keys.
4. Create application and API key restrictions.
5. Regenerate your API keys from time to time"
   }
 }]
}
</script>

API keys

What are API keys?

Application Programming Interface keys (API keys)  are unique codes that are passed to APIs to identify the applications, users, or developers that are making calls. They can be used to control and track how the API is being used and prevent it from being abused. Your API key can be used as a unique identifier as well as a secret token for authentication.

API keys will usually have a set of access rights for the APIs that they are associated with.


How are API keys different from Authentication tokens?

API keys are generally used to identify the projects, i.e., the applications or sites that make the calls to APIs. They are even used for project authorization, by checking if the application making the call has access to call the API and has the API enabled in their project.

Authentication tokens are used to identify the individual person (user) that is using an application or website.

An API key does not provide the same level of security as authorization tokens do, but they are effective at identifying the application or call that is making the API call. 

How can you use API keys?

The keys are handled by endpoints. They are used along with applications and web interfaces (projects).

API keys are primarily used for project identification and project authorization. They can even be used to associate use information with specific projects. API keys can even enable the Extensible Service Proxy (ESP) to reject calls that are made by projects that have not been granted access or which have not been enabled in that specific API.

Their use can even be restricted to an IP address range or an iOS or Android application.


How do you get API keys?

You would need to ask the owner of the application service that you want to connect your application service with for an API key. If an application owner makes connections to their application services available to external developers, they will generally publish instructions on getting an API key.

The process usually involves creating an account with the owner of the application and proceeding to register the project for which you need the key.

After that, in most cases, you’ll just have to interact with a console and create the credentials needed to generate an API key.

Most keys don’t expire, but sometimes, the application owner requires you to renew your access to the key at fixed intervals.


Why must API keys be kept private?

Some API keys are meant to be public and are published in webpages and application bundles. These are used mainly for identification, not authentication. This tends to work for applications with lower security requirements or applications that have other security measures.

However, most API keys tend to be private. Anyone can do whatever your application is authorized to do with the API if they gain access to your credentials.

If the API key is used to enforce rate limiting and an unauthorized person uses your API key, you might be denied service because they went over the limit. And if you are using a paid API, this may even result in you incurring additional charges if unauthorized people use your key.

In case your API key is used to prove that you asked that a request be performed by the application owner, you would lose control of the protected resource if your API key is stolen or leaked.

Even in situations where your API key does not contain sensitive information, it becomes a security risk as soon as it is used to restrict access to resources because it is rather easy for someone to extract them from client applications and automate attacks by using them. In such a situation, the attacker would be able to impersonate the API server, pretending to be the authorized application or user.

How to keep your API key secure?

Here are a few steps that you could take to keep your API keys secure:

  • Don’t directly embed your API keys in code.
  • Avoid storing API keys in files within an application's source tree.
  • Get rid of unnecessary API keys.
  • Create application and API key restrictions.
  • Regenerate your API keys from time to time
About Engati

Engati powers 45,000+ chatbot & live chat solutions in 50+ languages across the world.

We aim to empower you to create the best customer experiences you could imagine. 

So, are you ready to create unbelievably smooth experiences?

Check us out!

API keys

October 14, 2020

Table of contents

Key takeawaysCollaboration platforms are essential to the new way of workingEmployees prefer engati over emailEmployees play a growing part in software purchasing decisionsThe future of work is collaborativeMethodology

What are API keys?

Application Programming Interface keys (API keys)  are unique codes that are passed to APIs to identify the applications, users, or developers that are making calls. They can be used to control and track how the API is being used and prevent it from being abused. Your API key can be used as a unique identifier as well as a secret token for authentication.

API keys will usually have a set of access rights for the APIs that they are associated with.


How are API keys different from Authentication tokens?

API keys are generally used to identify the projects, i.e., the applications or sites that make the calls to APIs. They are even used for project authorization, by checking if the application making the call has access to call the API and has the API enabled in their project.

Authentication tokens are used to identify the individual person (user) that is using an application or website.

An API key does not provide the same level of security as authorization tokens do, but they are effective at identifying the application or call that is making the API call. 

How can you use API keys?

The keys are handled by endpoints. They are used along with applications and web interfaces (projects).

API keys are primarily used for project identification and project authorization. They can even be used to associate use information with specific projects. API keys can even enable the Extensible Service Proxy (ESP) to reject calls that are made by projects that have not been granted access or which have not been enabled in that specific API.

Their use can even be restricted to an IP address range or an iOS or Android application.


How do you get API keys?

You would need to ask the owner of the application service that you want to connect your application service with for an API key. If an application owner makes connections to their application services available to external developers, they will generally publish instructions on getting an API key.

The process usually involves creating an account with the owner of the application and proceeding to register the project for which you need the key.

After that, in most cases, you’ll just have to interact with a console and create the credentials needed to generate an API key.

Most keys don’t expire, but sometimes, the application owner requires you to renew your access to the key at fixed intervals.


Why must API keys be kept private?

Some API keys are meant to be public and are published in webpages and application bundles. These are used mainly for identification, not authentication. This tends to work for applications with lower security requirements or applications that have other security measures.

However, most API keys tend to be private. Anyone can do whatever your application is authorized to do with the API if they gain access to your credentials.

If the API key is used to enforce rate limiting and an unauthorized person uses your API key, you might be denied service because they went over the limit. And if you are using a paid API, this may even result in you incurring additional charges if unauthorized people use your key.

In case your API key is used to prove that you asked that a request be performed by the application owner, you would lose control of the protected resource if your API key is stolen or leaked.

Even in situations where your API key does not contain sensitive information, it becomes a security risk as soon as it is used to restrict access to resources because it is rather easy for someone to extract them from client applications and automate attacks by using them. In such a situation, the attacker would be able to impersonate the API server, pretending to be the authorized application or user.

How to keep your API key secure?

Here are a few steps that you could take to keep your API keys secure:

  • Don’t directly embed your API keys in code.
  • Avoid storing API keys in files within an application's source tree.
  • Get rid of unnecessary API keys.
  • Create application and API key restrictions.
  • Regenerate your API keys from time to time
Share

Continue Reading