I have created and api and i want to have some control over who use it, how often etc. I want to have a API key strategy so that the users must provide the key in order to use the API. However i don't know how to implement it. The users are registered with username and password. What i thought of was to assign a UUID when the user logs in and store it in a table in the database. The each request include this uuid and it is checked oeach request at the server.
However this does not seem right. Could someone explain the steps in order to create a api key like, dropbox, twitter, facebook etc. does? I want to try implement this myself.
Could someone explain the steps in order to create a api key like, dropbox, twitter, facebook etc. does? I want to try implement this myself.
Note: if you don't want it to be a decryptable key, as in, it is hashed and thus infinitely more difficult to crack, then you can simply follow this stratgey: make a set of steps to form your unhashed data string: sha1("some-secret"."some-other-bit-of-info"."etc"."etc") and then the API consumer has the onus on them to generate their own key. Thus, they have access only if they have the necessary parts / info needed to construct it.
Take Stripe's API as a decent example:
make authorization request: an API key is returned. "curl uses the -u flag to pass basic auth credentials (adding a colon after your API key will prevent it from asking you for a password)." --Stripe Docs
send that key along with all further requests.