I have found quite a few questions on this topic on SO, but couldn't find any answering this question:
Should I validate users with their username and password, or with an API key? And what are the pros and cons of each method.
I ask this because in my API, there are a couple of methods I'd like to lock down and verify that the user has access to some document or action. I'm a bit reluctant to authenticate by having the user send an HTTP AUTH header with their username and password because it feels unsecured and a bit more of a hassle for the user. On the other hand, though, if I use an API key, what's the point of the user ever creating a password? As they will no longer be using it to access features of the API.
UPDATE
If other readers of this are curious what I ended up using, I decided to copy how Amazon does their validation (good explanation here: https://www.ida.liu.se/~TDP024/labs/hmacarticle.pdf)
you can use HTTP Authentication over SSL and that's secure enough. However it makes consumption of API a bit difficult as it requires the client library to support SSL. SSL can affect the performance too if you're expecting too many calls simultaneously.
API key option is just as insecure as HTTP Authentication without SSL. If you're not concerned with security then API Key is the easiest for consumers of the API.
One good method is to have a login method, taking the username and password (hopefully over TLS). You give them an expiring token if they successfully auth; the rest of their API calls must contain this token to succeed.
来源:https://stackoverflow.com/questions/7606559/restful-api-authentication