There are several useful web services out there that expose APIs like the Facebook APIs, Twitter APIs, Google Plus APIs, Etrade APIs and so on.
Most of these web platforms do not expose their web service APIs freely. They require you to register as a developer and are issued an API Key (Eg: twitter, google).
I have been trying to understand how the API keys work and if they hold any value as a security mechanism. The short answer is, using API keys as a security mechanism is a bad idea. This is because there is no easy way to hide an API key. Consider this: You write a .NET based desktop application that accesses twitter accounts and displays tweets associated with an account. For this your .NET application makes use of the twitter API. But to use this API, your application needs to use API keys.
However, this means the API key needs to be distributed with your application to your clients. You could try to secure it by encrypting it or embedding it in a binary file etc. But a determined developer with reasonable skills will be able to get to your key eventually.
So what then is the purpose of the API key? From what I have learnt so far, the API key is used more as a tool to collect metrics and identify the application that is making API calls. This is so the web service provider can determine how much their service is being used and by whom. This could help them charge the application user based on how much of the service (storage, compute power, network traffic etc) is being used.
Comments
You can follow this conversation by subscribing to the comment feed for this post.