AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Yelp api invalid signature12/12/2023 The prefix seems like it would be a really good idea if your API endpoint needed to handle multiple distinct kinds of authentication: Key, Token, Signature, and so on. What is the point of all this extra framing? To me, the simplest thing that works is the best, and this APIKEY prefix would represent extra framing. On the server side, you would need the converse - a string split - and then you'd need to validate that the prefix was the prefix you were expecting: Apikey and none other. In particular on the caller side, the developer would need to add that prefix to every call. And maybe it is contributing some "cost" in terms of complexity. The spec recommends it, so obviously it's not *wrong*, but it does seem like an extra bit of formality and strictness that isn't contributing any value to either the caller or the receiver. Also, using TLS to secure the transport layer may also be recommended.Īs for whether using the Authorization header WITH an APIKEY prefix is necessary. for sure, eliminating the possibility to transmit keys in the query string is a good idea. You mentioned "key leakage" as a problem. This is true for any HTTP API, whether managed in Apigee Edge or not.Īs you know, your policies in Apigee Edge can access any part of the inbound message: query parameters, headers, payload, url path elements, and methods. There is no single, "correct" way to pass in authentication information including APIKeys. Are there any consequences to not providing this header? However, this requires that the response headers include a suggested authentication method, which is also not configured. I also notice that default status response for an invalid apikey parameter is HTTP 401, unauthorized. client ease-of-use)? What are the advantages / disadvantages using the apikey header vs the Authorization header? I notice this is not the way that is suggested in your documentation. I started investigating how to do this correctly, and reading the HTTP specs I think a correct way to do this would be to use the authorization header, presumably something like: Authorization : APIKEY your-api-key-here Both ourselves and some of our clients believe it's a good idea to support passing API keys in the headers, where they will benefit from the security of HTTPS, although we will also continue to support the key as a query parameter. This makes it difficult for clients to keep their APIkeys secret, they tend to leak keys on a regular basis. Right now, we only allow clients to send API keys to our Edge proxy using only the apikey query parameter.
0 Comments
Read More
Leave a Reply. |