Looking for a beginner's guide to implementing API keys

security
(Yathindu) #1

Hi all, I building a API server for a mobile app. What are some good resources to learn about security in API servers? I looked into JWT but from what I understood it’s mainly for applications where there are users who log in using credentials. I just have an app that calls my API with no user entity. I guess what I need is to implement API keys on my server but I guess a broader resource would be very helpful for me. Thanks!

(Ivano Pagano) #2

I’m not sure this is the right place to ask, securing an Api with keys is a very general problem that is not only related to play.
The server implementation is secondary to the security protocols used for api keys issuing and verification.
To give you a general idea (I’m no expert here), I guess you need to have

  • a server issuing api keys to identified users
  • a way to read accept those keys from the client’s call (might be a http request header, sent over secure protocol layer, i.e. TLS) and to check them against those issued before.

This is a very superficial description of one possible solution, but I encourage you to search for better and more detailed resources both on the internet and on books