 | This article needs additional citations for verification .(October 2018) |
An application programming interface (API) key is a secret unique identifier used to authenticate and authorize a user, developer, or calling program to an API. [1] [2]
Cloud computing providers such as Google Cloud Platform and Amazon Web Services recommend that API keys only be used to authenticate projects, rather than human users. [3] [4]
API keys for HTTP-based APIs can be sent in multiple ways: [5]
In the query string:
POST/something?api_key=abcdef12345HTTP/1.1As a request header:
GET/somethingHTTP/1.1X-API-Key:abcdef12345As a cookie:
GET/somethingHTTP/1.1Cookie:X-API-KEY=abcdef12345API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Keys often have no expiration, meaning a stolen key can be used indefinitely unless revoked or regenerated. [6] Keys are supposed to be a secret known only by the client and server, so they should not be communicated over an insecure channel and can only be considered secure when used in conjunction with other security mechanisms such as HTTPS. [5]
There are several risk scenarios when using API keys:
These risks generally stem from the key being in plaintext, which is potentially accessible to adversaries. [2]
In 2017, Fallible, a Delaware-based security firm examined 16,000 Android apps and identified over 300 which contained hard-coded API keys for services like Dropbox, Twitter, and Slack. [7]
In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two user parties.
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
Memcached is a general-purpose distributed memory-caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read. Memcached is free and open-source software, licensed under the Revised BSD license. Memcached runs on Unix-like operating systems and on Microsoft Windows. It depends on the libevent library.
End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one else, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Because no third parties can decipher the data being communicated or stored, for example, companies that provide end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.
A web API is an application programming interface (API) for either a web server or a web browser. As a web development concept, it can be related to a web application's client side. A server-side web API consists of one or more publicly exposed endpoints to a defined request–response message system, typically expressed in JSON or XML by means of an HTTP-based web server. A server API (SAPI) is not considered a server-side web API, unless it is publicly accessible by a remote web application.
Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.
This is a technical feature comparison of different disk encryption software.
Google App Engine is a cloud computing platform used as a service for developing and hosting web applications. Applications are sandboxed and run across multiple Google-managed servers. GAE supports automatic scaling for web applications, allocating more resources to the web application as the amount of requests increases. It was released as a preview in April 2008 and launched officially in September 2011.
Android Cloud to Device Messaging, or C2DM, is a defunct mobile notification service that was developed by Google and replaced by the Google Cloud Messaging service. It enabled developers to send data from servers to Android applications and Chrome extensions. C2DM originally launched in 2010 and was available beginning with version 2.2 of Android. On June 27, 2012, Google unveiled the Google Cloud Messaging service aimed at replacing C2DM, citing improvements to authentication and delivery, new API endpoints and messaging parameters, and the removal of API rate limits and maximum message sizes. Google announced official deprecation of the C2DM service in August 2012, and released documentation to assist developers with migrating to the new service. The C2DM service was discontinued for existing applications and completely shut down on October 20, 2015.
Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.
Google Cloud Messaging (GCM) was a mobile notification service developed by Google that enables third-party application developers to send notification data or information from developer-run servers to applications that target the Google Android Operating System, as well as applications or extensions developed for the Google Chrome internet browser. It was available to developers free of charge. The GCM Service was first announced in June 2012 as a successor to Google's now-defunct Android Cloud to Device Messaging (C2DM) service, citing improvements to authentication and delivery, new API endpoints and messaging parameters, and the removal of limitations on API send-rates and message sizes. It has been superseded by Google's Firebase Cloud Messaging (FCM) on May 29, 2019.
In web development, a webhook is a method of augmenting or altering the behavior of a web page or web application with custom callbacks. These callbacks may be maintained, modified, and managed by third-party users who need not be affiliated with the originating website or application. In 2007, Jeff Lindsay coined the term webhook from the computer programming term hook.
Backend as a service (BaaS), sometimes also referred to as mobile backend as a service (MBaaS), is a service for providing web app and mobile app developers with a way to easily build a backend to their frontend applications. Features available include user management, push notifications, and integration with social networking services. These services are provided via the use of custom software development kits (SDKs) and application programming interfaces (APIs). BaaS is a relatively recent development in cloud computing, with most BaaS startups dating from 2011 or later. Some of the most popular service providers are AWS Amplify and Firebase.
Google APIs are application programming interfaces (APIs) developed by Google which allow communication with Google Services and their integration to other services. Examples of these include Search, Gmail, Translate or Google Maps. Third-party apps can use these APIs to take advantage of or extend the functionality of the existing services.
Firebase was a company that developed backend software. It was founded in San Francisco in 2011 and was incorporated in Delaware.
Approov (formerly CriticalBlue) is a Scottish software company based in Edinburgh that is primarily active in two areas of technology: anti-botnet and automated threat prevention for mobile businesses, and software optimization tools and services for Android and Linux platforms.
Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by a worldwide community of contributors, and the trademark is held by the Cloud Native Computing Foundation.
Firebase Cloud Messaging (FCM), formerly known as Google Cloud Messaging (GCM), is a cross-platform cloud service for messages and notifications for Android, iOS, and web applications, which as of May 2023 can be used at no cost. Firebase Cloud Messaging allows third-party application developers to send notifications or messages from servers hosted by FCM to users of the platform or end users.
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials that are available across multiple devices are commonly referred to as passkeys.
 | This computer-programming-related article is a stub. You can help Wikipedia by expanding it. |