Passing api keys to rest api Passing api keys to rest api codeigniter codeigniter

Passing api keys to rest api


php codeigniter rest api-key

You should look into request signing. A great example is Amazon's S3 REST API.

The overview is actually pretty straightforward. The user has two important pieces of information to use your API, a public user id and a private API Key. They send the public id with the request, and use the private key to sign the request. The receiving server looks up the user's key and decides if the signed request is valid. The flow is something like this:

  1. User joins your service and gets a user id (e.g. 123) and an APIkey.
  2. User wants to make a request to your API service to update their email address, so they need to send a request to your API, perhaps to/user/update?email=new@example.com.
  3. In order to make it possible to verify the request, the user adds the user id and a signature to the call, so the call becomes/user/update?email=new@example.com&userid=123&sig=some_generated_string
  4. The server receives the call, sees that it's from userid=123, and looks up the API key for that user. It then replicates the steps to create the signature from the data, and if the signature matches, therequest is valid.

This methodology ensures the API key is never sent as part of the communication.

Take a look at PHP's hash_hmac() function, it's popular for sending signed requests. Generally you get the user to do something like put all the parameters into an array, sort alphabetically, concatenate into a string and then hash_hmac that string to get the sig. In this example you might do:

$sig = hash_hmac("sha256",$params['email'].$params['userid'],$API_KEY)

Then add that $sig onto the REST url as mentioned above.

php codeigniter rest api-key

The idea of REST is that it's stateless—so no sessions or anything. If you want to authenticate, then this is where keys come in, and keys must be passed for every request, and each request authenticates the user (as REST is stateless, did I mention that?).

There are various ways you can pass a key. You could pass it as a parameter (i.e. http://example.com/api/resource/id?key=api_key) or you can pass it as part of the HTTP headers. I've seen APIs that specify you send your username, and an API key as the password portion of the HTTP basic access authorization header.

An example request:

<?php$ch = curl_init();curl_setopt_array($ch, array(    CURLOPT_RETURNTRANSFER => true,    CURLOPT_URL => 'http://example.com/api/resource/id',    CURLOPT_USERPWD => 'martinbean:4eefab4111b2a'));$response = curl_exec($ch);

Where martinbean would be my account username on your website, and 4eefab4111b2a would be my API key.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last