Verify API Key versus GetOAuthInfoV2 policy

nimishamahale · 12-28-2017 03:38 AM

I am trying to get the App details like the App name, callbackurl etc; in my proxy. This can be achieved with both the policies VerifyAPIKey and GetOAuthInfoV2.

Which policy is considered to be the optimum VerifyAPIKey or the GetOAuthInfoV2 policy?

What is recommended to be used?

Thanks,

Nimisha

isaias_arellano

You use the verify api key policy to indeed just validate that the apikey exists and is active, then you use that api key and api secret to generate oauth tokens which then you send instead of the api key to a verify access token policy to avoid sending the api key in each request, although booth can be use to secure your api OAuth tokens offer a wider features, IMHO VerifyAccessToken is better than just api keys, but it depends on your use case.

potturiprasanth

The discretion to pick Verify API Key versus GetOAuthInfoV2 policy would dependent on the way your API design/use case is outlined. As you rightly said both these policies serve the purpose, you can look at below points to see if which of these would align with your use case/Api design

In OAuth flow API key and Secret are passed to get the token, then token is used to authorize all subsequent API calls. In this case GetOAuthInfoV2 will fit, in order to extract app attributes from token
In Api usecase where Api key is part of every Api call, then Verify API Key would be fit