REST web service and API keys
I have a web service I\'m offering to users to tap into my applications database and get some info. Users have to register for an API key and provide that when making requests.
-
You need to use signed requests. Basically it works like that:
- You give your user an API key and a "secret" (a random string) that only you and the client know.
- Whenever they make a request, they add a "signature" parameter to it. This signature is basically a hash of the request parameters + the API key + other parameters (see below) + the secret.
- Since you know the secret too, you can verify that the signature is correct.
To avoid replay attacks, you can also add nonces and timestamps into the mix. A nonce is simply a number that must be incremented by the client on each request. When you get the request, you check if you've already received this nonce/timestamp before. If you did, you reject the request (because it's most likely a replay attack). If not, you store the nonce/timestamp in your database so that you can look it up later on.
This is more or less how requests are signed in OAuth. Have a look at their example in the link.
加载中...
- 热议问题