update module3.ipynb
This commit is contained in:
parent
ccf68f4ebf
commit
b050e5c5bf
@ -749,14 +749,72 @@
|
||||
"cell_type": "markdown",
|
||||
"metadata": {},
|
||||
"source": [
|
||||
"# API Keys"
|
||||
"# API Keys\n",
|
||||
"\n",
|
||||
"An Application Programming Interface (API) key is an authentication token that allows you to call an API. An application passes an API key to the API, which is then called to identify the person, programmer, or program trying to access a website. It is frequently accompanied by a set of access rights that are specific to the API the key is linked to. In this reading, you will delve into API keys, their role, their function in authentication and authorization, and how they are used. \n",
|
||||
"\n",
|
||||
"The API key is usually randomly generated by the application and must be sent on every API call. It serves as a distinctive identifier and offers a secure token for authentication.\n",
|
||||
"\n",
|
||||
"## Authentication and authorization\n",
|
||||
"\n",
|
||||
"API keys may be used for both authentication, making sure you’re who you say you are, and authorization, deciding which APIs you are allowed to call.\n",
|
||||
"\n",
|
||||
"When you are authenticating with API keys, you are ensuring that malicious users or applications can’t call an API and make unauthorized or authorized changes. With project authentication (application or site authentication), API keys help identify the project or application that makes the call. If you are using API keys for user authentication, the identity of the user is being verified. \n",
|
||||
"\n",
|
||||
"When you are authorizing with API keys, you are also ensuring that you have the correct API call. Authorization will also check that the API key being used in the project is available.\n",
|
||||
"\n",
|
||||
"## How they are used\n",
|
||||
"\n",
|
||||
"When using APIs, the usage depends on the specific API. With most APIs, you are required to send the API key with every request. It can be sent in one of several ways:\n",
|
||||
"\n",
|
||||
"1. As an HTTP parameter in the request URL. Example: GET https://myapp.com/api/users/list?apikey=12345678\n",
|
||||
"2. As an HTTP header sent with the request. Example: GET https://myapp.com/api/users/listX-API-Key: 12345678\n",
|
||||
"3. (Rarely) Posted to a specific authorization endpoint, which returns another token or a cookie to be sent with subsequent requests. Example: POST https://myapp.com/api/auth{ “token”: “12345678” }\n",
|
||||
"\n",
|
||||
"One last tip, do not hardcode API keys into your application code, especially if it will be posted in a public repository like Github. If you have hardcoded your API keys into your application code, anyone who wants to can make API calls with your authorization! \n",
|
||||
"\n",
|
||||
"Unfortunately, it happens every day. For this reason, many applications are moving away from API keys and toward OAuth, which requires the user to manually authorize an application before using it. With being extra cautious, you can make sure this does not happen to you. \n",
|
||||
"\n",
|
||||
"## Key takeaways\n",
|
||||
"\n",
|
||||
"- **API keys facilitate secure interactions:** The API key serves as a crucial authentication token that not only permits API calls, but also plays a vital role in regulating access privileges and defining permissible actions. It's an essential tool in ensuring secure and controlled communication within digital ecosystems.\n",
|
||||
"- **Authentication and authorization:** API keys serve a dual purpose: authentication and authorization. Authentication verifies the identity of users or applications making API calls, preventing unauthorized access or changes. Authorization, on the other hand, ensures that users have the appropriate rights to call specific APIs, promoting controlled usage and adherence to access policies.\n",
|
||||
"- **Effective API key usage:** When using APIs, the API key can be included as an HTTP parameter in the URL or an HTTP header. Ensuring that API keys aren't hardcoded in application code is important in order to prevent unauthorized access. Many applications are transitioning from API keys to more secure methods where manual user authorization enhances security measures and minimizes risks associated with API misuse."
|
||||
]
|
||||
},
|
||||
{
|
||||
"cell_type": "markdown",
|
||||
"metadata": {},
|
||||
"source": [
|
||||
"# When to use API Keys"
|
||||
"# When to use API Keys\n",
|
||||
"\n",
|
||||
"Managing access and safeguarding resources is where API keys come into play. An API may require API keys for part or all of its methods. In this reading, we delve into the concept of API keys, exploring their pivotal role in not only securing and controlling access, but also in gathering insights to some processes API keys should not be used for. \n",
|
||||
"\n",
|
||||
"There are a few reasons why you might want to use API keys.\n",
|
||||
"\n",
|
||||
"## What you can use API keys for\n",
|
||||
"\n",
|
||||
"Some of the ways you might use API keys include: \n",
|
||||
"\n",
|
||||
"- **To block anonymous traffic** - Can help to protect your API from abuse and to ensure that only authorized users are able to access it.\n",
|
||||
"- **To control the number of calls made to your API** - Can help to prevent your API from being overloaded and to ensure that it is available to all authorized users.\n",
|
||||
"- **To identify usage patterns** - Can be used to improve your API and to make sure that it is meeting the needs of your users.\n",
|
||||
"- **To filter logs by API key** - Can help you to troubleshoot problems with your API and to identify which users are using your API the most.\n",
|
||||
"\n",
|
||||
"## What you cannot use API keys for\n",
|
||||
"\n",
|
||||
"You can’t use API keys for: \n",
|
||||
"\n",
|
||||
"- **Identifying individual users** - API keys do not identify individual users; they identify entire projects.\n",
|
||||
"- **Secure authorization** - They should be used only to identify and control access to an API.\n",
|
||||
"- **Identifying the creators of a project** - Service Infrastructure doesn't provide a method to directly look up projects from API keys.\n",
|
||||
"\n",
|
||||
"## Key Takeaways\n",
|
||||
"\n",
|
||||
"- You use API keys for blocking anonymous traffic, controlling the number of calls made to your API, identifying usage patterns, and to filter logs by API keys.\n",
|
||||
"- You can’t use API keys for identifying individual users, securing authorization, and identifying the creators of a project.\n",
|
||||
"\n",
|
||||
"API keys serve as the link between the potential of APIs and the demand for restricted usage. As developers continue to harness the power of APIs to weave intricate software ecosystems, a nuanced understanding of API keys' capabilities and boundaries becomes the cornerstone of ensuring secure, efficient, and insightful API management."
|
||||
]
|
||||
},
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user