Proxy and Gateway

How to protect your API keys

How to protect your API keys

When it comes to authenticating API clients, a common solution is to deliver an API key to each of your API clients.

As the API key — which is sent over on each API call — might be stolen and used to make API calls by a malicious third party on your client app’s behalf, we recommend delivering a secret key along with the API key (aka client identifier). The following method is applicable when calling an API from a server, not from a client. Learn all about blocking threats to a digital business with API security.

This secret key will be used to create a temporary access token, which is unique for each call and will be sent along with your API key. If the same call is replayed, this will generate an error, as the access token is meant to be used only once.

On the calling side, here is what your client apps need to do for each call:

  1. Take the public API key
  2. Take the Secret Key (should never be shared)
  3. Generate a “nonce” which is a random number that can only be used once
  4. Generate the “timestamp,” which is the UNIX timestamp
  5. Generate the access token, which is created by hashing the API key as follows, using the hashing algorithm of your choice: $apikey = hash_hmac('sha1', $APIKey, $secretKey.$timestamp.$nonce);  To generate the HMAC variant of the message digest, we concatenate the secret key, timestamp, and nonce.
  6. We call the API by sending over the API key, the timestamp, the nonce, and the generated access token. Beware of never sending your secret key.

On the server-side, here is the protection you need to put in place:

  1. If the received timestamp parameter is older than 15 minutes (or any other arbitrary value), dismiss the call.
  2. If the received timestamp is within the time range of 15 minutes, check if the combination of “API key,” “access token,” “nonce,” and “timestamp” already exists in your memory cache. If it does, dismiss the call. If it doesn’t, add this entry to your cache and process the call.
  3. Make sure your cache entries automatically expire after 15 minutes to not overload your memory cache.

As you can see, this method relies on the ability to generate the access token without disclosing the secret key. Thus, this method works well for an API call from a server but is not relevant for calling APIs from a JavaScript client.

Download our checklist of 10 best practices for comprehensive API security.