Why use keys from Developer Apps?

Report Inappropriate Content · 03-11-2017 09:09 AM

I understand the use of APIgee between the consumer and the API provider. I understand how API Edge is helping in the process. From the foundational training, I understand that Developers are the ones that consume the backend services (APIs) via their Apps. But I don't understand why we use API Keys from developer apps, while APIs themselves come with API Keys. In the live production, where do we use API keys from Developer Apps. How and where do we use API keys from backend services (APIs)?

anilsr

@Loganathan Murugesan , Great Question, Let me clarify couple of things, Please find details inline,

I understand the use of Apigee between the consumer and the API provider :

Yes, You are right on the money. Apigee platform delivers value in entire digital value chain from End Consumer to Backend service.

From the foundational training, I understand that Developers are the ones that consume the backend services (APIs) via their Apps

Yes, That's correct. App Developers (Internal Teams, Partners, Public Developers) will consume APIs via their Apps.

But I don't understand why we use API Keys from developer apps, while APIs themselves come with API Keys.

Above statement is not correct. APIs themselves doesn't come with keys. If that's the case, You might end up with tons of keys for hundreds of APIs. No one remembers these keys & you will end up with hundreds of locks with bunch of keys.

For example if there are 3 different Entities & Multiple API resource paths under it,

Customers

GET /v1/customers

GET /v1/customers/{customerId}

POST /v1/customers

Orders

GET /v1/orders

GET /v1/orders/{orderId}

POST /v1/orders

Stores

GET /v1/stores

GET /v1/stores/{storeId}

POST /v1/stores

If each API comes with keys, you will end up with 9 keys. Ideally, You need 1 key to access these APIs from your App.

Apigee Edge allows you package these APIs into Products & Expose them via Developer App concept. You need to register your App with API provider & choose API Products that will give access to above APIs via Developer App Keys.

Where do we use API keys from Developer Apps ?

You use API keys to call APIs securely. Without these keys, You can't access APIs if they are secured by keys.

How and where do we use API keys from backend services (APIs)?

It doesn't matter it's a backend service / client app / browser that is making the API call. You call the API by authenticating same with keys. APIs are language of things. You can make a simple API Get call using browser / CURL command line / Javascript / Java / Python program & so on.

Please find 4MV4D video that explains API Product & Keys concept in Apigee Edge here.

Report Inappropriate Content

Thanks @Anil Sagar for the detailed explanation. I'm still confused on the question "But I don't understand why we use API Keys from developer apps, while APIs themselves come with API Keys."

Say, I'm trying to use Twitter's Search API as my target endpoint. I have already created a Twitter developer app, which is given an API key. How do I use that key in APIgee? or How do I link the developer app in APIgee with Twitter app? Or should I somehow register APIgee developer app with Twitter?

anilsr

@Loganathan Murugesan , Story of Apigee is every business becoming digital business like google or twitter by exposing APIs like the former does. Many traditional companies doesn't have API security like twitter. Their APIs might be legacy with Basic Authentication protocol. Building security using keys from scratch & adding security like oAuth might take quarters / years from them. Using Apigee Edge they can do same in a matter of minutes.

Like twitter, let's say some organisation X has services & data stored in multiple systems. They would like to expose the APIs like google or twitter seamlessly. That's where Apigee Edge comes into the picture. They manage / build / scale / secure / publish APIs using Apigee Edge platform. Expose API documentation, App Creation using Apigee Edge Developer Portal, Track & Analyze Apis using Apigee Edge Analytics.

In twitter case, You will use the twitter API key to talk to twitter backend. Use Apigee keys to secure & track twitter APIs exposed from Apigee Edge platform. For example, Let's say you have value added services on top of twitter APIs. For example, Let's say twitter apis list tweets without total count. You have improved twitter API using Apigee Edge & Added additional info that gives total count of tweets. Twitter API is your target server. Let's say few developers like your APIs which provides additional info & value on top of twitter APIs. They would like to consume APIs exposed from Apigee Edge. You cannot share the single twitter API key with 10 developers. Developers will register to your API program using Apigee Developer Portal , For example, http://dev-4mv4d.devportal.apigee.com/ , Create Apps, Get Keys, Use Keys to access twitter APIs exposed from Apigee Edge.

Apigee Edge in the API Proxy checks the Apigee Key, Validates It, Removes the Apigee Edge Key, Adds the twitter key, calls the twitter API. You need to call the twitter API with your twitter key. It's called last mile security. Find more details here. By exposing the APIs using Apigee Edge, You know who is calling the twitter APIs (Exposed by you with additional value) & make sure they access what they are intended to.

See video below that explains Apigee Edge Platform. Apigee Edge helps Enterprises / SMBs / startups to become platforms like twitter or google & expose APIs securely using keys, allow developers to register & access APIs just like you have created app, got keys, read API documentation in Twitter API program.

For example, See FirstData - Payeezy (Financial Payment Gateway Services Company) developer portal where their Portal & APIs are powered by Apigee Edge Platform.

Report Inappropriate Content

Thanks Anil

anilsr

Anytime, You can click on Accept link below the answer if your query is resolved so that it's helpful for others. Keep us posted moving forward if any.