Passing api keys to rest api

php codeigniter rest api-key
47,514

Solution 1

You should look into request signing. A great example is Amazon's S3 REST API.

The overview is actually pretty straightforward. The user has two important pieces of information to use your API, a public user id and a private API Key. They send the public id with the request, and use the private key to sign the request. The receiving server looks up the user's key and decides if the signed request is valid. The flow is something like this:

  1. User joins your service and gets a user id (e.g. 123) and an API key.
  2. User wants to make a request to your API service to update their email address, so they need to send a request to your API, perhaps to /user/[email protected].
  3. In order to make it possible to verify the request, the user adds the user id and a signature to the call, so the call becomes /user/[email protected]&userid=123&sig=some_generated_string
  4. The server receives the call, sees that it's from userid=123, and looks up the API key for that user. It then replicates the steps to create the signature from the data, and if the signature matches, the request is valid.

This methodology ensures the API key is never sent as part of the communication.

Take a look at PHP's hash_hmac() function, it's popular for sending signed requests. Generally you get the user to do something like put all the parameters into an array, sort alphabetically, concatenate into a string and then hash_hmac that string to get the sig. In this example you might do:

$sig = hash_hmac("sha256",$params['email'].$params['userid'],$API_KEY)

Then add that $sig onto the REST url as mentioned above.

Solution 2

The idea of REST is that it's stateless—so no sessions or anything. If you want to authenticate, then this is where keys come in, and keys must be passed for every request, and each request authenticates the user (as REST is stateless, did I mention that?).

There are various ways you can pass a key. You could pass it as a parameter (i.e. http://example.com/api/resource/id?key=api_key) or you can pass it as part of the HTTP headers. I've seen APIs that specify you send your username, and an API key as the password portion of the HTTP basic access authorization header.

An example request:

<?php

$ch = curl_init();
curl_setopt_array($ch, array(
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_URL => 'http://example.com/api/resource/id',
    CURLOPT_USERPWD => 'martinbean:4eefab4111b2a'
));
$response = curl_exec($ch);

Where martinbean would be my account username on your website, and 4eefab4111b2a would be my API key.

Share:
47,514
MrFoh
Author by

MrFoh

Software Engineer with a keen desire for self-improvement. Outstanding team player as well as an independent contributor, dedicated to continuously developing, implementing, and adopting technology to maximize development efficiency and deliver business value.

Updated on May 19, 2020

Comments

  • MrFoh
    MrFoh almost 4 years

    Am working with phil sturgeon REST_Controller for codeigniter to create a REST api, so far i've been able to create a simple library for generating api keys for the users. My problem is now sending the api key to the API for each request, how i do this without having to manually send it for every request.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Codeigniter - Creating a RESTful API
How can I download/upload images in a REST API?
$this->post codeigniter don't work with rest api
API integration in Codeigniter application
How to add items to the cart using the Shopify API
Creating RESTful API by using pure CodeIgniter?
Codeigniter RESTful API - {"status":false,"error":"Unknown method."}
How to send a post request to the RESTserver api in php-Codeigniter?
REST Authentication in PHP (CodeIgniter)
Where_in in codeigniter