An application programming interface (API) key is a unique code used by an API to identify the application or user making the request. API keys are used to track and control who uses an API and how they use it, as well as to authenticate and authorize applications, similar to how usernames and passwords work. An API key can be in the form of a single key or a set of keys. Users should follow best practices to improve their overall security against API key theft and avoid the consequences of API key compromise.
API and API key
To understand what an API key is, you first need to understand what an API is. An application programming interface or API is a software intermediary that allows two or more applications to share information. For example, CoinMarketCap's API allows other applications to retrieve and use crypto data, such as price, volume and capitalization.
An API key comes in different forms: it can be a single key or a set of keys. Different systems use these keys to authenticate and authorize an application, similar to a username and password for an individual. An API key is used by an API client to authenticate an application requesting the API.
For example, if Binance Academy wants to use the CoinMarketCap API, an API key will be generated by CoinMarketCap and used to authenticate the identity of Binance Academy (the API client), which is requesting access to the API. When Binance Academy accesses the CoinMarketCap API, this API key must be sent to CoinMarketCap with the request.
This API key should only be used by Binance Academy and should not be shared or sent to others. Sharing this API key would allow a third party to access CoinMarketCap as Binance Academy, and all actions from that third party will appear as if they originated from Binance Academy.
The API key can also be used by the CoinMarketCap API to confirm whether the application is authorized to access the requested resource. Additionally, API owners use API keys to monitor API activity, such as different request types, traffic, and request volume.
What is an API key?
An API key is used to control and track who uses an API and how they use it. The term “API key” can have different meanings in different systems. Some systems have a single code, but others may have multiple codes for a single “API key.”
As such, an “API key” is a unique code or set of unique codes used by an API to authenticate and authorize the user or application originating a request. Some codes are used for authentication and others for creating cryptographic signatures to prove the legitimacy of a request.
These authentication codes are commonly called "API key", while the codes used for cryptographic signatures have different names, such as "secret key", "public key" or "private key". Authentication involves identifying the entities concerned and to confirm that they are who they claim to be.
Authorization, on the other hand, specifies which API services access is allowed. The function of an API key is similar to that of an account username and password. It can also be linked to other security devices to improve overall security.
Each API key is typically generated for a specific entity by the API owner (more details below) and each time a request is made to an API endpoint, which requires authentication or authorization from the API. user, or both, the corresponding key is used.
Cryptographic signatures
Some API keys use cryptographic signatures as an additional layer of verification. When a user wants to send certain data to an API, a digital signature generated by another key can be added to the request. Using cryptography, the API owner can verify that this digital signature matches the data sent.
Symmetrical and asymmetrical signatures
Data shared through an API can be signed by cryptographic keys, which can be classified into the following categories:
Symmetric keys
They involve the use of a secret key to perform both data signing and signature verification. With symmetric keys, the API key and secret key are typically generated by the API owner and the same secret key must be used by the API service for signature verification. The main advantage of using a single key is that it is faster to implement and requires less computing power for signature generation and verification. HMAC is a good example of a symmetric key.
Asymmetric keys
They involve the use of two keys: a private key and a public key, which are different but cryptographically related. The private key is used for signature generation and the public key is used for signature verification. The API key is generated by the API owner, but the private and public key pair is generated by the user. Only the public key should be used by the API owner for signature verification, so the private key can remain local and secret.
The main advantage of using asymmetric keys is the increased security of separating the signature generation and verification keys. This allows external systems to verify signatures without being able to generate them. Another advantage is that some asymmetric encryption systems allow a password to be added to private keys. RSA key pairs are a good example.
Are API keys secure?
Responsibility for an API key lies with the user. API keys are similar to passwords and should be treated with the same care. Sharing an API key is similar to sharing a password and, as such, should not take place as it will put the user's account at risk.
API keys are commonly targeted by cyberattacks because they can be used to perform large-scale operations on systems, such as requesting personal information or executing financial transactions. There have indeed been cases where web crawlers have successfully scanned online code databases to steal API keys.
The consequences of an API key theft can be dramatic and lead to significant financial losses. Additionally, because some API keys do not expire, they can be used indefinitely by attackers once stolen, until the keys themselves are revoked.
Best practices for using API keys
Due to their access to sensitive data and general vulnerability, the secure use of API keys is of paramount importance. You can follow these best practices when using API keys to improve their overall security:
Change your API keys often. This means you should delete your current API key and create a new one. With multiple systems, it is usually easy to generate and delete API keys. Just as some systems require you to change your password every 30-90 days, you should change your API keys with a similar frequency.
Use IP whitelisting: When you create an API key, establish a list of IPs allowed to use the key (an IP whitelist). You can also specify a list of blocked IPs (an IP blacklist). This way, even if your API key is stolen, it cannot be accessed by an unrecognized IP.
Use multiple API keys: Having multiple keys and dividing responsibilities between them will reduce security risk because your security won't depend on a single key with broad permissions. You can also set different IP address whitelists for each key, further reducing security risk.
Store API keys securely: Do not store your keys in accessible locations, on public computers, or in their original plain text format. Instead, store them using encryption or a password manager for added security, and be careful not to accidentally expose them.
Don't share your API keys. You can compare sharing an API key to sharing a password. Doing so gives another party the same authentication and authorization privileges as you do. If compromised, your API key can be stolen and used to hack your account. An API key should only be used between you and the system that generates it.
If your API key is compromised, you must first deactivate it to avoid further damage. In the event of financial loss, take screenshots of key information related to the incident, contact the relevant entities and file a complaint. This is the best way to increase your chances of recovering lost funds.
Conclusion
API keys provide essential authentication and authorization functions, and users should manage and protect their keys carefully. There are many levels and aspects that can ensure secure use of API keys. Overall, an API key should be treated like your account password.
More information
General safety principles
5 Common Cryptocurrency Scams, and How to Avoid Them.