An application programming interface (API) key is a unique code used by an API to identify the calling application or user. API keys are used to track and control who is using an API and how they’re using it, as well as to authenticate and authorize applications — similar to how usernames and passwords work. An API key may come in the form of a single key or a set of multiple keys. Users should follow best practices to improve their overall security against API key theft and avoid the related consequences of their API keys being compromised.
API vs API Key
In order to understand what an API key is, you must first understand what an API is. An application programming interface or API is a software intermediary that allows two or more applications to share information. For example, CoinMarketCap’s API allows other applications to retrieve and use crypto data, such as price, volume, and market cap.
An API key comes in many different forms — it can be a single key or a set of multiple keys. Different systems use these keys to authenticate and authorize an application, similar to how a username and password are used. An API key is used by an API client to authenticate an application calling the API.
For instance, if Binance Academy wants to use the CoinMarketCap API, an API key will be generated by CoinMarketCap and used to authenticate the identity of Binance Academy (the API client), which is requesting API access. When Binance Academy accesses CoinMarketCap’s API, this API key should be sent to CoinMarketCap along with the request.
This API key should only be used by Binance Academy and should not be shared with or sent to others. Sharing this API key will allow a third party to access CoinMarketCap as Binance Academy, and any actions by the third party will appear as if they come from Binance Academy.
The API key can also be used by the CoinMarketCap API to confirm if the application is authorized to access the requested resource. Additionally, API owners use API keys to monitor API activity, such as the types, traffic, and volume of requests.
What Is an API Key?
An API key is used to control and track who is using an API and how they’re using it. The term “API key” can mean different things for different systems. Some systems have a single code but others can have multiple codes for a single “API key”.
As such, an “API key” is a unique code or a set of unique codes used by an API to authenticate and authorize the calling user or application. Some codes are used for authentication and some are used for creating cryptographic signatures to prove the legitimacy of a request.
These authentication codes are commonly referred to collectively as an “API key”, while the codes used for cryptographic signatures go by various names, such as “secret key”, “public key”, or “private key”. Authentication entails identifying the entities involved and confirming they are who they say they are.
Authorization, on the other hand, specifies the API services to which access is permitted. The function of an API key is similar to that of an account username and password; it can also be connected to other security features to improve overall security.
Each API key is typically generated for a specific entity by the API owner (more details below) and each time a call is made to an API endpoint — which requires user authentication or authorization, or both — the relevant key is used.
Some API keys use cryptographic signatures as an additional layer of verification. When a user wants to send certain data to an API, a digital signature generated by another key can be added to the request. Using cryptography, the API owner can verify that this digital signature matches the data sent.
Symmetric and Asymmetric Signatures
Data shared through an API can be signed by cryptographic keys, which fall under the following categories:
These involve the use of one secret key to perform both the signing of data and the verification of a signature. With symmetric keys, the API key and secret key are usually generated by the API owner and the same secret key must be used by the API service for signature verification. The main advantage of using a singular key is that doing so is faster and requires less computational power for signature generation and verification. A good example of a symmetric key is HMAC.
These involve the use of two keys: a private key and a public key, which are different but cryptographically linked. The private key is used for signature generation and the public key is used for signature verification. The API key is generated by the API owner but the private key and public key pair is generated by the user. Only the public key needs to be used by the API owner for signature verification, so the private key can remain local and secret.
The main advantage of using asymmetric keys is the higher security of separating signature generation and verification keys. This allows external systems to verify signatures without being able to generate signatures. Another advantage is that some asymmetric encryption systems support adding a password to private keys. A good example is an RSA key pair.
Are API Keys Secure?
The responsibility of an API key rests with the user. API keys are similar to passwords and need to be treated with the same care. Sharing an API key is similar to sharing a password and as such, should not be done as doing so would put the user’s account at risk.
API keys are commonly targeted in cyberattacks because they can be used to perform powerful operations on systems, such as requesting personal information or executing financial transactions. In fact, there have been cases of crawlers successfully attacking online code databases to steal API keys.
The consequences of API key theft can be drastic and lead to significant financial loss. Furthermore, as some API keys don’t expire, they can be used indefinitely by attackers once stolen, until the keys themselves are revoked.
Best Practices When Using API Keys
Because of their access to sensitive data and their general vulnerability, using API keys securely is of paramount importance. You can follow these best practice guidelines when using API keys to improve their overall security:
Rotate your API keys often if possible. This means you should delete your current API key and make a new one. With multiple systems, it’s easy to generate and delete API keys. Similar to how some systems require you to change your password every 30 to 90 days, you should rotate your API keys with a similar frequency if possible.
Use IP whitelisting: When you create an API key, draw up a list of IPs authorized to use the key (an IP whitelist). You can also specify a list of blocked IPs (an IP blacklist). This way, even if your API key is stolen, it still can’t be accessed by an unrecognized IP.
Use multiple API keys: Having multiple keys and splitting responsibilities among them will lower security risk, as your security will not hinge on a single key with extensive permissions. You can also set different IP whitelists for each key, further lowering your security risk.
Store API keys securely: Don’t store your keys in public places, on public computers, or in their original plain text format. Instead, store each using encryption or a secret manager for better security, and be careful not to accidentally expose them.
Do not share your API keys. Sharing your API key is similar to sharing your password. In doing so, you give another party the same authentication and authorization privileges as you. If they are compromised, your API key can be stolen and used to hack into your account. An API key should only be used between you and the system that generates it.
If your API key is compromised, you need to first disable it to prevent further damage. If there is any financial loss, take screenshots of key information related to the incident, contact the related entities, and file a police report. This is the best way to increase your chances of regaining any lost funds.
API keys provide core authentication and authorization functions, and users must manage and protect their keys carefully. There are many layers and aspects to ensuring the safe usage of API keys. Overall, an API key should be treated like a password to your account.