API Discovery is the first step to understanding…
Knock, knock. Who’s there? API client. API client who? This little digital chat happens billions of times a day in the world of IT. As more companies undertake digital transformation initiatives, they are exposing more of their applications and data sources through application programming interfaces (APIs). Indeed, virtually all modern software applications rely on these standards-based interfaces to connect with user devices and other applications. For the sake of security and reliability, it is essential to grant API access only to API clients that can verify their identities. The API key makes this happen, allowing the API client to assert its identity.
An API key is a unique bit of code that identifies the API client to the API. It’s like an ID card. It might look something like this: e7062c5b-d95d-4fa5-af31-52cb6e662816. Any number of platforms can generate the keys. When the API client invokes the API, the API “asks” for the API key. Once the client presents the key, the API grants access. Most API keys are static. They remain in effect until they are revoked.
API keys have two main purposes. One is authentication, a step that verifies that an API client is what it says it is. The API key signifies that the API client has permission to invoke the API. The process occurs at the API endpoint or API server.
The second purpose is authorization, which determines which API functions the API client is entitled to access. After all, an API may represent more than one function. And, it’s likely that not every API client will be authorized to use them all. One API client may get access to data set A, while another API client gets access to data sets A and B, and so forth. To realize this objective, the API project may assign more than one API key, with each key entitling the client to distinct access rights.
API keys work in a fairly straightforward “Show us your ID” process, sort of like going through the TSA checkpoint at the airport. When the API client requests access at the API endpoint, the API checks its client database for the key. If the key being presented matches the key in the database, the API client is allowed to access whatever data and functionality is made available through the API.
The owners of the API can also use the API key to monitor activity on the API. For example, they can track the number and types of requests being made, because each request links back to a specific API key. This capability has a useful security benefit, as well. If a malicious actor has stolen an API key, for example, then that key’s activities can provide evidence of an attack—potentially enabling API security tools to shut down access before the attack does any serious damage.
The best uses for API keys occur in situations where the API owner wants to control API traffic. Requiring an API key obstructs traffic sources of unknown origin or questionable integrity. On a related note, API keys are useful when API owners want to monitor API traffic patterns. They might want to do this for security reasons, e.g., to detect malicious traffic or denial of service (DoS) attacks. Or, they may want to measure traffic to better understand how to optimize API performance or negotiate terms with API users.
An API key is an identifier for the API client, but it differs from a set of API account credentials. The distinctions arise in several areas. For one thing, the API key identifies application requests, but not users on an individual basis. Indeed, there could be hundreds of end users who access an API through the same API client. The API key, on its own, cannot distinguish between them.
To address this limitation of access control, some APIs require users to create accounts. Though API user accounts vary in structure, they tend to resemble software user accounts. They might mandate that the user set up a unique username and password. The API account credentials might also include an authorization token, such as one based on OAuth standards. With API account credentials, the API owner can know exactly which end-user has accessed the API.
Given that the API key provides access to the API, and thus the data it represents, it should not be a surprise that hackers tend to be interested in stealing them. Getting ahold of an API key enables a malicious actor to breach data and systems fronted by the API. Or, they can abuse the key and flood the API with requests, disrupting business operations in the process. For these reasons, it is wise to devise and implement security controls that protect API keys.
For context, API key security should ideally be viewed as part of application security and data security. The API, after all, is the gateway to an application. If the API key is stolen, there will be very deficient application and data security.
Typical API key security countermeasures include:
Noname’s Recon solution offers users many of these capabilities. It has the ability to monitor APIs at runtime, detecting suspicious activity and alerting security managers of possible attacks. The solution also tracks API activity and traffic, with the goal of detecting and preventing breaches of the API, as well as theft of API keys.
API keys are identifiers that enable an API endpoint to authenticate an API client and limit its access according to authorization policies. They are not a complete API security solution, however, as they do not track individual end users. For better API security, it’s best to augment the API key with API account credentials, which may include tokens. API keys need to be protected, however, as they can be abused by hackers who are intent on breaching APIs.
Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.