How can we make API requests without exposing our ...

Report Inappropriate Content · 09-30-2018 07:35 AM

Well I have watched some tutorials on how Apigee works, but I have an issue, If i generate an apikey for our developers, the same key is passed as a paremeter whenever a request is made, when everyone can see it, then what makes this secure?

,

How can we make api requests without exposing our apikey?

sidd-harth

Hi @Chinwa Williams , generally an apikey is used for identifying a developer application. We dont use it as a security measure. Apikey can, in turn, be used to apply specifics Quotas/Spike Arrest etc policies.

Please have a look at OAuth Security Schema, which makes use of the apikey & secret to generate an opaque token. This token is again passed as a parameter whenever a request is made, and everyone can see it but, no one can decode it as the token is just random strings & numbers.

The OAuth Server(Apigee/External) can validate/decode the token. So by using OAuth, you dont expose your apikey.

https://www.youtube.com/watch?v=ctamLL-WO0I

https://docs.apigee.com/api-platform/security/oauth/oauth-introduction

Report Inappropriate Content

Hi, I learn faster-watching videos rather than reading blogs, can you share some video tutorials that integrates the OAuth Server approach? Once again Thanks!

sidd-harth

Have a look at Apigee 4MV4D, search for OAuth videos.

How can we make API requests without exposing our apikey?