An application programming interface (API) key is a unique code that an API uses to identify the application or user calling it. API keys are used to track and control who is using an API and how they use it, as well as to authenticate and authorize applications, similar to how usernames and passwords work. An API key can be in the form of a single key or a group of multiple keys. Users should follow best practices to improve their overall security against API key theft and avoid the consequences associated with having compromised API keys.
API vs. clave API
To understand what an API key is, we must first know what an API is. An application programming interface or API is middleware that allows information to be shared between two or more applications. For example, the CoinMarketCap API allows other applications to obtain and use data about cryptocurrencies, such as price, volume, and market capitalization.
On the other hand, an API key can take various forms. It can be a single key or a group of multiple keys. These keys are used by different systems to authenticate and authorize an application, similar to how a username and password are used. An API client uses these types of keys to authenticate an application when calling the API.
For example, if Binance Academy wants to use CoinMarketCap's API, CoinMarketCap will generate an API key and use it to authenticate the identity of Binance Academy (the API client), which is requesting access to the API. When Binance Academy accesses the CoinMarketCap API, you must send the API key to CMC along with the request.
This API key should only be used by Binance Academy and should not be shared or sent to third parties. Sharing this API key would allow a third party to access CoinMarketCap as Binance Academy, so any action the third party takes would appear as if it came from Binance Academy.
The CoinMarketCap API can also use this API key to confirm whether the application is authorized to access the requested resource. Additionally, API owners use API keys to monitor API activity, such as request types, traffic, and volume.
What is an API key?
An API key is used to monitor and track who is using an API and how they use it. The term “API key” can refer to a variety of things for different systems. Some systems may have a single code, while others may have multiple codes for a single “API key.”
As such, an “API key” is a unique code or group of codes that an API uses to authenticate and authorize the user or application calling it. Some codes are used for authentication and others to create cryptographic signatures that prove the legitimacy of a request.
These authentication codes are collectively called an “API key,” while the codes used for cryptographic signatures have various names, such as “secret key,” public key,” or “private key.” Authentication involves identifying the entities involved and confirming that they are who they say they are.
Authorization, on the other hand, specifies the API services to which access is granted. The function of an API key is similar to that of an account username and password. It can also connect with other security features to improve overall security.
The API owner typically generates an API key for a specific entity (more details below) and each time a call is made to an API endpoint (requiring user authentication, authorization, or both) the key is used in question.
Cryptographic signatures
Some API keys use cryptographic signatures as an additional layer of verification. When a user wants to send certain data to an API, it is possible to add a digital signature generated by another key to the request. Using cryptography, the API owner can verify that this digital signature matches the data sent.
Symmetric and asymmetric signatures
Data shared through an API can be signed with cryptographic keys, which fall into the following categories:
Symmetric keys
These involve the use of a secret key to perform both data signing and signature verification. With symmetric keys, the API owner often generates the API key and the secret key, and the API service must use the same secret key for signature verification. The main advantage of using a single key is that doing so is faster and requires less computational power for signature generation and verification. A good example of a symmetric key is HMAC (Hashed-Based Message Authentication Code).
Asymmetric keys
These involve the use of two keys: a different private key and a public key, but cryptographically linked. The private key is used to generate the signature and the public key is used to verify it. The API owner generates the API key, but it is the user who generates the public key and private key pair. The API owner must use only the public key to verify the signature, so that the private key remains in place and secret.
The main advantage of using asymmetric keys is having more security by separating the signature generation and verification keys. This allows external systems to verify signatures without being able to generate them. Another advantage is that some asymmetric encryption systems allow a password to be added to private keys. A good example is an RSA key pair (Rivest-Shamir-Adelman, the initials are the initials of the creators' last names).
Are API keys secure?
The responsibility for an API key lies with the user. API keys are similar to passwords and should be treated with the same care. Sharing an API key is similar to sharing a password and as such should not be done as this would put the user's account at risk.
API keys are frequently targeted by cyberattacks as they can be used to perform important operations within a system, such as requesting personal information or executing financial transactions. In fact, there have been cases of crawlers successfully attacking databases with online code to steal API keys.
The consequences of an API key theft can be disastrous and lead to considerable financial losses. Additionally, because some API keys do not expire, attackers can use them indefinitely, until the keys themselves are revoked.
Best practices when using API keys
Due to their access to sensitive data and overall vulnerability, using API keys securely is critically important. You can follow these best practices when using API keys to improve their overall security:
If possible, change your API keys frequently. This means you must delete your current API key and create a new one. On several systems, it is easy to generate and delete API keys. Similar to how some systems require you to change your password every 30 or 90 days, you should change your API keys as frequently if possible.
Use an IP whitelist: When you create an API key, make a list of IPs that are allowed to use the key (an IP whitelist). Also establish a blocked IP list (an IP blacklist). So, even if your API key is stolen, it will not be possible to use it with an unrecognized IP.
Use multiple API keys: Having multiple keys and dividing responsibilities between them will reduce security risk, since your security will not depend on a single key with abundant permissions. You can also set different IP whitelists for each key, further reducing your security risk.
Store API keys securely: Do not store your keys in public environments, on public computers, or in their original plain text format. Instead, save each one via encryption or a Secret Manager for better security, and be careful not to accidentally expose them.
Don't share your API keys. Sharing your API keys is similar to sharing your password. By doing so, you provide a third party with the same authentication and authorization privileges that you have. If your passwords are compromised, they can be used to hack your account. An API key should only be used between the system that generated it and the owner of the key.
If your API key is compromised, you should first disable it to prevent further damage. If any financial loss occurs, take screenshots of key information related to the incident, contact related entities, and file a police report. This is the best way to increase your chances of recovering lost funds.
Conclusions
API keys provide essential authentication and authorization functions, so users should manage and protect their keys carefully. There are many layers and aspects to ensure the secure use of API keys. But in general, an API key should be treated like a password to access your account.
Further reading
General security principles
5 common cryptocurrency scams and how to avoid them