An API key or application programming interface key is a code that gets passed in by computer applications. The program or application then calls the API or application programming interface to identify its user, developer or calling program to a website.
Application programming keys are normally used to assist in tracking and controlling how the interface is being utilized. Often, it does this to prevent abuse or malicious use of the API in question.
An API key can act as a secret authentication token as well as a unique identifier. Typically, the key will come with a set of access rights for the API that it is associated with.
When and Why to Use API Keys
API keys are used with projects, while authentication is designated for the users. Cloud Endpoints will, in many cases, handle both the authentication procedures as well as the API keys. The differentiating factor between the two is:
- Authentication tokens are used to identify the users, i.e., the person who is using that particular website or application.
- API keys are used to identifying the project making the call. This can either be the website or the application that is making the call to the application programming interface.
Application Programming Interface Keys Guarantee Project Authorization
Before deciding on the most appropriate scheme, you will need first to understand what authentication and API keys can provide. The keys can provide:
- Project authorization—To help check whether the application making the call has access to call it. It also checks whether the API in this project is enabled.
- Project identification—Identify the project or the application making the call to the API.
You should note that the API keys are not as secure as the tokens used for authentication purposes. However, they do assist in identifying the project or the application that is behind the call.
The keys get generated on the project that is behind the call. This means that you can easily restrict their usage to environments such as an iOS or Android application. You could also use an IP range to restrict usage.
The ability to identify the project making the call means that the API keys can be used to associate use information with a given project. The keys also make it possible for the ESP (Extensible Service Proxy) to reject calls coming from projects that do not have access or which have not been enabled in that particular API.
Authentication schemes are designed to serve two main purposes:
- User authorization—check whether the user making the call has permission to make this kind of request.
- User authentication—verify that the person making the call is the person he or she is claiming to be.
The purpose of an authentication scheme is to make it possible to identify the identity of the caller. An endpoint can also check with the authentication token to confirm that permission has been granted for it to make a call to the API. Based on the information available on the authentication token, the API server gets to make the final decision on whether to authorize that particular request.