Authenticate an API by using API key
Before you begin
- Make sure you have Manage APIs or Activate / Deactivate APIs functional privilege. If you are an Administrator, you must have this privilege.
- Postman is installed in your system, or you can you use the web version of Postman
About this task
Exposing APIs displays application logic and sensitive data and can pose a security risk to an organization. Without authentication, APIs are vulnerable to unauthorized access, misuse, and abuse. Unauthenticated users or applications can potentially access sensitive data or resources, perform unauthorized actions, or overload the API with excessive requests. This action is why API security becomes an important aspect. One of the ways you can secure your APIs is to implement authentication mechanisms that control their exposure through user credentials and encrypted access codes. The authentication mechanism works as a gatekeeper that grants access to only authentic users.
You can use different API authentication methods such as HTTP basic authentication, API key authentication, OAuth 2.0 authentication, JWT authentication. Selecting the appropriate authentication method for a particular API depends on the level of security that is needed to validate the clients as against the ease of implementation.
For example, the HTTP Basic authentication works well for restricting public access to low-risk data and resources, but still requires a minimum level of security controls. API key authentication works well in scenarios where API providers want to identify individual clients and regulate their permissions as n. API keys are suitable for simple API requests where you might not require a high level of security, whereas OAuth 2.0 or JWT authentication methods offer a greater level of security in the form of token revocation and refresh tokens.
webMethods API Gateway provides various authentication methods like Basic Auth, API key, OAuth 2.0, OAuth with OpenID, and JWT. The following example illustrates a scenario on how to securely access APIs by using the API key-based authentication. The API key authentication method uses system-generated strings that consist of a long series of letters or numbers to create unique pairs of identifying credentials and API access tokens. This code of numbers calls programs from a different application; the key then recognizes the code, its developer, the user, and the application where the API call is made from. When the client authenticates the API key, the server recognizes their identity and lets them access data with ease.
The figure depicts the API key-based authentication mechanism.
The following example illustrates the steps to secure a REST API, Petstore, with an API key and how do you use this API key to access the API.
Procedure
What to do next
Now that you have securely accessed the API, you can start by using the API.