USE CASES FOR AN API KEY

Not applicable

HI

I am really trying to understand the use cases of api consumer key for developer application.

We need to verify one use case :

  • 1.Developer logs into dev portal using SSO (kronos authentication system).
  • 2.Security policy for api consumer key is removed from API Edge so that api key is not required for any api call.
  • 3.Developer creates two separate application using same kronos product on developer portal .
  • 4.As we have disabled the api key ,how will the developer keep track of which application is currently in use.Are there ways other than api consumer key which can be used by a developer to distinguish
  • Between the applications other than using api key .
0 2 1,079
2 REPLIES 2

Hi @Arpit Sharma

I'm not entirely clear on your question. But I'll explain a little, and maybe this will help.

The uses of an API consumer_key: An API Consumer Key should be considered to be application identification. Not always authentication, because the consumer_key could be compromised, especially if the application runs on a consumer's mobile device. When you hear the term "consumer_key", you should think "application key". A consumer in this case is a consumer of the API, in other words, an application, and a consumer_key identifies the application.

You described a scenario in which Edge is configured to not verify the consumer_key. Since you have eliminated that, there is no way for Edge to associate inbound API requests with a particular application.

> how will the developer keep track of which application is currently in use.

There is no way. The consumer_key (also known as API Key) is designed for this purpose. If you don't use it, you cannot track within Edge, which app is making the calls.

Now, let me say there is a large special case. Not really an exception, but just a special case of using API keys directly: There is the possibility to use OAuth tokens. These are limited-life tokens that are derived from the consumer_key. Think of tokens as an alternative to the direct use of the consumer_key for application identification. Because a token can be obtained only by an app that has possession of a consumer_key, when an app uses a token, it is effectively an indirect use of the consumer_key.

To summarize, if your app is designed to use consumer_key (also referred to as API Keys), then:

  • the developer registers the app on the developer portal, receives a consumer_key and secret
  • the developer writes an app, and embeds the consumer_key into the app
  • the app sends the consumer_key along with all API requests
  • Edge receives those requests and tracks usage based on that consumer_key
  • API Analytics in Edge reflects that usage
  • The developer portal can show app and developer analytics, informing the developer of the traffic generated by each and all of his apps

If your app is designed to use tokens then:

  • the developer registers the app on the developer portal, receives a consumer_key and secret
  • the developer writes an app, and embeds that information into the app
  • upon first run, the app presents the consumer_key and consumer_secret to Edge, to request a token
  • Edge generates a token and sends it back to the app
  • the app sends the token with all subsequent API requests
  • Edge receives those requests and maps the token to the originating consumer application (==consumer_key)
  • API Analytics in Edge reflects that usage. (by app and developer)
  • The developer portal can show app and developer analytics, informing each developer of the traffic generated by each and all of his apps

If your app uses neither consumer_key nor oauth tokens, then Edge cannot track developer and app usage.

Not applicable
During run time processing of the request , the proxy identifies an app from the apikey (apikey validation)/accesstoken.Without the apikey/accesstoken there is no way for an apiproxy to identify the app that is generating the request.