API keys have become the standard when consuming an API. API key is some random hash which uniquely identifies the consumer. API keys have numerous benefits over Basic Authentication mechanism.
API key approach is very fast. The ability to prove identity once and move on is very agile, and is why it has been used for many years now as a default approach for many API providers. Additionally, setting up the system itself is quite easy, and controlling these keys once generated is even easier. This also allows systems to purge keys, thereby removing authentication after the fact and denying entry to any system attempting to use a removed key.
For example, to authorize user with API key client would send, Authorization: Bearer Gdak3lfs9fsl3slfksdlf3f#f3fsd@%
How miniOrange API Gateway protects your API’s with API key
- Client Application access API server with API key as an Authorization Header.
- miniOrange API Gateway read the API key (Bearer token) provided in authorization header and validate the key.
- Once validated, miniOrange forward the request to the API or Resource Server
- Response returned from API server is sent back to the client application
The Authorization field is constructed as follows:
- The authorization method and a space (e.g. “Bearer “) is then prepended to the API key of the client application.
e.g. Authorization: Bearer Gdak3lfs9fsl3slfksdlf3f#f3fsd@%
Advantages of using API key based authentication:
- Fast and simple to implement.
- API Keys are independent of the account’s master credentials, can be revoked and many API Keys can be granted to a single account.
Disadvantages of using API key based authentication:
- In case of HTTP network traffic can be sniffed and API key can be stolen.
- Vulnerable to replay attacks. So, OAuth authentication is recommended instead as which provides time based tokens and can have restricted access.
What Security Guidelines we follow to secure your API’s:
Enforce HTTPS / TLS connection:
We provide an option to enforce the use of HTTP over SSL in API requests, which transfer your credentials securely.
Input Parameter Validation to prevent injections:
Validate request parameters on the very first step, before it reaches your API Server. Our strong validation checks blocks the access immediately if input validation fails, which helps to prevent SQL injection and other attacks.
We support the input validation specified by OWASP REST Security guidelines.
Timestamp in Request:
Along with other request parameters, we provide option to add a request timestamp as HTTP custom header in API request. The server will compare the current timestamp to the request timestamp, and only accepts the request if it is within the allowed timeframe (60-300 seconds). This will prevent replay attacks from attackers who are trying to brute force your system without changing this timestamp.
Digitally Sign API requests and responses:
We support API requests and responses in signed manner as a added security.
API call with digitally signed requests make sure that API requests are coming from the trusted partner or client.
Rate Limiting:
We protect your APIs with rate-limiting to mitigate distributed denial-of-service (DDoS) attacks and protecting the backend applications that process the API calls.
