api key - standards

[gbinal]

• Ensure instant signup

[gbinal]

? allow low-tier access even with no api key?

[diafygi]

Is this regarding authorization api keys? If so, there's fundamentally two ways to implement API keys: token or id+signature.

Token API Auth
You get assigned a token that you attach to every request. You should be the only one with that token, so the server assumes that it's you when you make the request (kind of like a session id cookie). The upside is that it's super easy to include a token as a url parameter or Authorization header. The downside is that if someone sniffs any of your requests, they can copy your token impersonate you. Oauth is the most common implmentation of this method (Github, Dropbox, etc.), but many APIs just roll their own (Stripe and Trello are good examples).

ID+Signature API Auth
You get assigned an public id and secret key, then attach the public id to every request and sign the request with the secret key. The upside is that if an attacker gets their hands on a request, they still can't impersonate you because they still need your secret key. The downside is that now you need to implement cryptographic signing when you work with the API. Mission critical stuff like AWS uses this method, but most APIs just say "we are https-only" and use the token method.

I'd recommend the token method, where you can send the token via:

1. URL parameter (makes for super quick testing and troubleshooting)
2. Authorization header (via both Basic and Token standards).

[konklone]

Thanks for breaking this out!

but most APIs just say "we are https-only" and use the token method.

Yep, and we are https-only. And we aim to use good HTTPS, including forward secrecy. So unless the circumstances truly demand it, I'd advocate a token approach over a cryptographic signature.