0

I'm designing an API, and I need to authenticate each request with a user. The simplest way to do that is to provide an API key to each user on their "My account" page, that they could regenerate at any time.

Then, our users can either include it when they design their consumer apps, or the apps they use can ask the user for their API key.

The API would only be accessible via HTTPS requests that include a header with the user's API key as value.

Is this a bad idea?

Improve this question
1
  • It's a fairly common implementation of request authorization. Just a note. the API can be requested by anybody, but only consumed by authorized clients (those with the header). Remember that once the web API goes public it's literary accessible to everybody. Humans, bots etc. Commented Feb 8, 2019 at 11:42

1 Answer 1

Reset to default
2

Many services work this way (example: the Google APIs like Maps and Directions). So it's not necessarily a bad idea. The regeneration part is important; it allows users to reset their key if they suspect it has been compromised.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.