mikha

<div>
@R_Harrison - thanks , yes this clarifies a little bit. I was under assumption that, building an API and building some kind of token/key based authentication with it would be something relatively achievable together . while one can do both at the same time, but sounds like setting up the OAuth server and authentication mechanism is a process of its own. <br />
<br />
you mentioned not using username/password , but my understanding was this was the basic authentication with the HTTP requests. <br />
<br />
one more clarification, the data i'm working is not &nbsp;Personal Identifiable Information and probably just having an api key with SSL/TLS would suffice - what's a good approach on rotating such api keys. one obvious one is , coming up with a newer version of the api and attaching a new api key to it, and let clients update it on their end or something similar? <br />
<br />
please let me know any good articles/books/courses &nbsp;on the authentication you might have come across , for my better understanding.
</div>


<div>
You can use username/passwords in the http requests which will use windows authentication, but that can then expose the account and could be used to compromise the server directly. &nbsp;Therefore, generally it is best to use an API key which if exposed can only be used with the API and does not expose any accounts on the server.<br><br>The question of rotating API keys is difficult (and is kind of the reason behind Oauth, JWT, etc) - customers hate being made to change API keys (probably because they often hard-code them)... however, for security we would like to change them every 30 seconds. &nbsp;It's a balancing act between what your customers will accept and how secure you need your environment. &nbsp;However, also consider adding extra layers on your API security like IP address checking, or systems that can detect multiple failed attempts or known hacking techniques and block their requests. &nbsp;Also keep an eye on your log files so you can see any "odd" requests which might indicate a vulnerability. If you can add these extra layers of security you won't need to rotate your keys as often.<br><br>When you develop your API remember people will always try and make it do things your had never expected (even your customers will do this), so be strict when checking API requests and fail requests by default.
</div>


<div>
<div class="content wysiwyg-content fr-view">
I am planning to work on a REST based API, may be host it in one of the cloud providers like AWS . I understand simply having an API key wouldn't be enough from a security perspective, as the key is passed in the header . I simply want to build a REST endpoint and don't plant to build a web front end for users to create an account, so I won't have username/password or use login credentials to validate. should i add this? <br><br>I hear about OAuth standard, or token based, how does this work, if anyone can explain that would be helpful.&nbsp;
</div>
</div>



I am planning to work on a REST based API, may be host it in one of the cloud providers like AWS . I understand simply having an API key wouldn't be enough from a security perspective, as the key is passed in the header . I simply want to build a REST endpoint and don't plant to build a web front end for users to create an account, so I won't have username/password or use login credentials to validate. should i add this?
I hear about OAuth standard, or token based, how does this work, if anyone can explain that would be helpful. 

OAuth authentication for an api?

Web development includes all aspects of presenting content on intranets and the Internet, including delivery development, protocols, languages and standards, server software, browser clients, databases and multimedia generation.

Web Development

authenticaion

Representational state transfer (REST) is an architectural style that gives a coordinated set of constraints to the design of components in a distributed hypermedia system used to design networked applications. RESTful systems typically communicate over Hypertext Transfer Protocol (HTTP) with the same HTTP verbs (GET, POST, PUT, DELETE, etc.) that web browsers use to retrieve web pages and to send data to remote servers. REST interfaces with external systems using resources identified by Uniform Resource Identifier (URI) that can be operated upon using standard verbs.