API Key Authentication Best Practices

Подписаться 1 тыс.

Просмотров 27 тыс.

50% 1

Get Started with Zuplo Free - portal.zuplo.com/signup
Many public APIs choose to use API keys as their authentication mechanism, and with good reason. In this video, we’ll discuss how to approach API key security for your API, including:
* why you should consider API key security
* design options and tradeoffs
* best practices of API key authentication
* technical details of a sound implementation
This video is based on this blog post: zuplo.com/blog/2022/12/01/api...
If you like this, be sure to checkout a similar video on rate limiting • The subtle art of API ...
▬▬▬▬▬▬ T I M E S T A M P S ▬▬▬▬▬▬
00:00 - Where our best practices came from
00:40 - Why do the world's best API-first companies use API Keys?
06:30 - GitHub Secret Scanning program
07:05 - Retrievable or Irretrievable?
10:36 - Rolling transition period
11:53 - Show the created date
12:37 - Checksum Validation
14:44 - Support Secret Scanning
16:44 - Minimize Latency
18:49 - Hide Keys Until Needed
20:00 - Copy Pasta
20:50 - Label your Keys
22:36 - Canonical Implementation Flow
See also: zuplo.com/blog/2022/05/03/you...
GitHub's secret scanning partner program: docs.github.com/en/developers...

Наука

Опубликовано:

28 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 40

@yiannis_p 2 месяца назад

The value of this video doesn’t match the views! Thank you so much for this!

@chieeyeoh6204 2 месяца назад

Totally!

@Zuplo 25 дней назад

Thank you - tell your friends :)

@mkorsukov Год назад

Good practical ideas regarding the API keys! I appreciate an API key check schema at the end of presentation! Very informative!

@Zuplo Год назад

Thanks!

@prasanthpremzon1111 13 дней назад

The insights are so informative and useful. Thanks ☺

@willmcdonnell287 Месяц назад

this is a very, very good video. I would watch a whole series on diff dev topics if they were presented this way. Many thanks!

@christhornham 7 месяцев назад

Excellent video. Thank you!

@Zuplo 6 месяцев назад

You are welcome!

@tushar98 9 месяцев назад

Interesting insights! Thanks for making this video ❤

@Zuplo 8 месяцев назад

My pleasure!

@Fikusiklol 8 месяцев назад

Great talk. Thanks!

@Zuplo 7 месяцев назад

Thank you for watching!

@user-us2ic2jb6q 9 месяцев назад

Good video, big thanks!

@Zuplo 8 месяцев назад

Glad you liked it!

@karbee0 Месяц назад

I use bcrypt for one way encrypted key. {retrievable_part}.{irretrievable_part} Separated with dot. You can do a script to select in full with a single click. Brcrypt is not that fast but not that slow to be an issue. Caching in memory requires extra work to do.. if your database comnector supports query caching, use that instead.

@Zuplo 25 дней назад

Yes, this is something that would happen on every request so must developers prefer something a bit faster than bcrypt but probably not making a measurable difference in most cases. BCrypt is often used in password checks which aren't on every request, as a password is often exchanged for some temp token.

@grumpydeveloper69 Год назад

@20:40 you can actually triple click in most input fields to select the entire value, or set a select on entry on a field so the entire contents is selected. Also adding a copy button makes this a moot point as well.

@joshtwist4875 Год назад

Can’t guarantee that other input boxes that the key may be in will have an copy button. Most people don’t know about triple click and so will struggle. It’s zero cost to solve these with a bit of thoughtful design. You do you though.

@Luccas.Furtado 4 месяца назад

Excellent tips, thanks!

@Zuplo 25 дней назад

\o/

@dpklabs Год назад

Great insights - thanks for the video. Quick question, how would you recommend generating the checksum?

@Zuplo Год назад

You can use an algorithm like CRC32 then convert to base16. Lots of suitable approaches.

@dpklabs Год назад

@@Zuplo Awesome - thanks! I'll start there and continue exploring other approaches

@WantMore-mc8dx 9 месяцев назад

Thanks for sharing! Sounds logic. In your experience, how about versioning of the API / End Points, any thoughts about it that you can share?

@Zuplo 8 месяцев назад

Yes, going to make a deep dive video on this - coming soon! Subscribe!

@noah-4482 Год назад

As a person who uses the notes app to store api keys, how do you make a vault? Also great video, it helped a lot!

@Zuplo Год назад

There are professional tools to do store your keys from multiple providers, and lots of folks use password managers (e.g. 1password) which has vaults and items designed for assets like this.

@RaphaelSousa-or1dl Месяц назад

hey I'm having a hard time undertanding how to set up my api key store since I have an API gateway in front of my application. Do I need to register the API key in the gateway as well as in the application DB? (I'm using gcp api gateway for context, and they offer a api key validation in the gateway, but I aso want to fetch data from the entity linked to this key)

@Zuplo 25 дней назад

I don't think GCP API Gateway supports API Key authentication - in that case, you might want to look at an alternative - may I recommend Zuplo (zuplo.com) which has it built in.

@ashu9103 Месяц назад

How can I make use of api key for authorization

@Zuplo 25 дней назад

Follow this guide and setup a gateway, consider using Zuplo: zuplo.com

@rguere Год назад

and sample code?

@Zuplo 25 дней назад

This is a best practices guide vs how to code guide. But most people shouldn't build this themselves and should use a service or gateway (We'd recommend zuplo.com obviously)

@alex444000 6 месяцев назад

How a retrievable api key is not a glorified plaintext password?

@CC-tf1wq 3 месяца назад

It should be treated as a password. Meaning securely sent to customers if they are using them to access your application, or hashed if you are storing them in your own database.

@Zuplo 25 дней назад

Agree with @CC-tf1wq here. At some level, even mTLS certificates and clientID/clientSecrets are (encodable as) plaintext passwords. It's not necessarily a bad thing but there are something things you should do to reduce risk: support self serve rolling, support key revocation, support github secret scanning. Naturally we do all this for you at Zuplo.com if you use our solution too.

@watchchat Год назад

I think your argument, if it is good enough for stripe then it should be good enough for you is greatly misleading. You have to account for the threat model. I’m sure the companies that use api keys have put that extra effort to secure the ecosystem. I always advocate for more security over ease of use…typically, things that have been made easier to use have hidden complexities so unless those hidden complexities are understood and accounted for the implementation could be at risk. But also, I’m not advocating for JWT, there are better solutions. But in this scenario, JWT vs API Key, JWT. :-)

@Zuplo Год назад

We give some reasons why we think some elements of API keys are more secure than OAuth JWT and API Keys clearly simpler from both an implementation and adoption standard (given your point about complexity) - the main reason people might question the approach is that it's not standardized and so some of the best practices are not well documented. This video is an effort to change that. As always, you should do what you think is best for your scenario.