0

In APIs that authenticates with a single API key (eg a long random string) via Basic Auth, I have seen that most (eg Stripe, Unbounce) sends the API key as the username, leaving the password field blank. The only service I have seen that sends the API key in the password field is Bing.

Is there any reason to choose to send the API key as the username field or the password field?

I know that both usernames and passwords are concatenated and encoded, so both are equivalent in the transmission. I am looking for reasons such as (for example):

  • "Well known client X expects non-empty usernames, so the API key has to go in the username"

  • "Well known client Y logs usernames and not passwords, so the API key has to go in the password"

Victor
  • 373
  • 1
  • 10

1 Answers1

1

The answer to your question will be opinion based.

In my opinion, the password should confirm that the requester is really the owner of the user ID he sent in the request. If one would treat API as a password, what user ID would it confirm? That's why I treat API in such scenario (Basic Auth) as a user ID. And this user ID is so secret that knowing it already allows you to use it, without additional password.

No matter how you treat it, non approach is ideal. Normally as a developer you will need a user ID (or some information that points to user ID) for at least two purposes: - For logging, e.g. to analyze which user produced what load, or which user uses particular API end points - For accounting: If in your business model you sell particular number of API calls or some volume of resources, you have kind of counters or other indicators, that show how much of the purchased resources the user has used so far. For this you will need a user ID.

Logs and indicators ideally should not contain sensitive information. When you use API key, that would be not good. So you may need some technical ID in your database, so that you map API key to a technical ID and use this ID in logs, for accounting and similar purposes.

mentallurg
  • 8,536
  • 4
  • 26
  • 41