by Luke Marshall
• June 2, 2020
REST, a.k.a. Representational State Transfer, is an architectural style commonly used in software development. Applications built via REST-style development tend to be excellent examples of distributed hypermedia applications. However, they don’t often have excellent innate security options. That’s where API keys and OAuth tokens come in.
As Dr. Fielding wrote in his 2000 dissertation, “[REST’s layered system allows] security policies to be enforced on data crossing the organizational boundary, as is required by firewalls.” This enables API keys and OAuth tokens to function exactly as designed. In fact, each of these two types of REST security were designed to function similar.
But, as every developer knows, intention and impact are often different. In order to get the most out of your application’s security programs, you’ll need to know whether to use an API key or OAuth. Though it may sound counterintuitive, these similar security styles could not be more different. Here’s what we’ll cover:
Did you know you can generate a full-featured, documented, and secure REST API in minutes using DreamFactory? Sign up for our free 14 day hosted trial to learn how! Our guided tour will show you how to create an API using an example database provided to you as part of the trial!
Create Your REST API Now
REST API security involves using data protections to authenticate users and prevent the unauthorized access of various web endpoints. Without a secure REST API complete with detailed authentication protocols, any computer savvy individual can manipulate your data with virtually no limitations on access.
Securing a REST API means that this will not be as much of a problem.
In other words, securing a REST API means reducing the risk of unauthorized or unauthenticated users from accessing, deleting, or otherwise altering data. Developers can do this through a variety of different protocols, two of which we’ll discuss in greater detail throughout this article: API keys and OAuth.
Without following proper REST API security guidelines, these problems can cripple your organization.
Through the use of software like DreamFactory, which uses automatic RESTful API configuration, securing a REST API becomes a simple process. This kind of software hits on the most important REST API security guidelines, enabling you to protect HTTP methods, defend against cross-site request forgeries, and so on.
First things first, a proper REST API must have rock-solid authentication protocols complete with input validation and automated audits. This triad of security practices prevents unauthorized users from accessing certain datasets, prevents user error, and prevents URL-hijacking (a.k.a. DNS hijacking, which can have disastrous effects if left unattended).
Once authentication and input verification protocols are in place, output verification protocols should also go into effect. This can prevent improper browser interpretations and cross-site scripting vulnerabilities.
This is by no means an exhaustive list. There are a number of other measures to take when implementing proper REST API security guidelines. That’s why it’s important to use a software like DreamFactory for API key security.
Now that you’ve gotten an in-depth refresher on REST API security and its importance, it’s time to get back to the question at hand: Should you use an API Key or OAuth token? The issue of how to secure REST APIs is solved through the use of API key security of OAuth tokens, but each of these two options comes with a number of pros and cons.
If you’re unfamiliar with Oauth security protocols, here’s a quick refresher. OAuth comes in two styles: OAuth 1 and OAuth 2. For purposes of this article, we’ll discuss the more popular OAuth 2 with a brief look at OAuth 1. OAuth uses cryptographic tokens to protect passwords and other user-data identifications both in transit and in storage.
The OAuth authorization protocol and API key cryptographic security system share a number of similarities and an equally large number of differences. Despite their shared intention (securing REST APIs) each works better than the other when it comes to various specifics and performance requirements. At the end of the day, though, only one option is best for REST API security.
We’ll get to that after analyzing the pros and cons of each of these two cryptographic security protocols.
API key security practices are incredibly common. So much so, in fact, that many of the most popular application performance monitoring platforms and software are designed around them, enabling users to gain specific APM metrics on the performance of their various keys, APIs, etc.
OAuth tokens are used to significantly lesser extent, meaning that APM compatibility for developers who prefer to use OAuth tokens may be limited. That problem tends not to arise for users of API key security protocols.
API keys used in REST API security practices can also benefit from universal HTTP connectors. For example, the universal HTTP connector that DreamFactory offers is compatible with many of the most effective API keys.
Expert software developers can write, configure, and deploy API key security protocols in a matter of minutes. For most developers, however, an API management solution is necessary to reduce the difficulty and complexity of API development.
Once an API key is deployed, it’s ready to go. From then on, all you have to do to access it and the data that it protects is log in, find where it’s saved, and copy/paste it into your authorization portal.
API keys can also be used somewhat universally, with the same key being used across multiple applications. There are a number of reasons why you should never do that, however, and more experienced web application developers can use simple practices and REST API security guidelines to bypass these concerns.
With DreamFactory, API key security is even easier. In only a few clicks, you can generate any number of individual API keys for use in securing REST applications.
When it comes to read-only data, there’s almost nothing as secure as an API key. API key security is an excellent option for authentication but a less-than-ideal option for authorization, meaning that simple read-only APIs (which require less granular permissions) may function better.
API key security enables easier access, quicker response times, and even opens the door to reducing database query load, assuming that your system has a fully optimized content delivery network (CDN) capable of distributing cached content without causing any additional memory bloat.
When it comes to the overwhelming majority of websites and endpoints, the public user only needs to read data but needs to read a lot of it. The simplicity of API key security combined with its exceptional read-only protections makes it both easy and effective to deploy large numbers of API keys to cover all read-only data.
Of course, it is important to note that API keys are not a method of authorization. Instead, they are simply a method of authentication. That means that they may struggle with write permissions without the proper configurations (e.g., an additional role-based access control system) and without following proper API key security guidelines.
This is the flip side of one of the more important advantages of using API keys to secure REST APIs. Whereas API keys excel at securing read-only data, these keys don’t do particularly well when securing write permissions. When user data and role-based access controls (RBACs) are thrown into the mix, creating these API keys also becomes significantly more complicated.
That’s where software like DreamFactory comes in. This kind of software supports typing an RBAC to an API key with any number of role-based permissions, helping to bridge the gap between authentication and authorization.
It’s important to note, however, that API keys are only a form of authentication. In their standard use, API keys are not great at authorizing various levels of access. Instead, anybody with the key can access all of the information, requiring individual API keys for each user.
When it comes to user-specific data, API keys tend to fall short without assistance from an outsourced API management software capable of handling the necessary role-based access control systems. This can be quite time consuming to develop without the proper software to speed the process up. However, user-controlled transactions and power transfers still require the transmission of the API key itself.
In order for end users to grant access to their specific data via an API key, they’ll have to copy and paste the token to their intended recipient. This opens the door for onlookers to monitor transactions in hopes of glimpsing the key in transit. Depending on the skill of this hacker, they may copy, intercept, or otherwise obtain the key without proper authorization.
One of the most common methods of avoiding the above risks associated with API key security is to create apps that enable the creation of new API keys, generate multiple API keys, and/or revoke API keys. Standard operating procedures are to do just that through a single restricted administration console. This can significantly bolster API key security, but doesn’t fully erase the problem of corruptible data.
A single broken app can obliterate the API key — and thus the user data — to which it is tied. The problem is further worsened if you use the same API key across multiple applications.
The major reason developers of web applications turn to OAuth security is to handle authorization levels for various end users. For example, Facebook uses OAuth tokens to enable its public developer partners to better manage their user data, grant permissions, and so on.
Developers can tie OAuth tokens to different scopes, meaning that whoever possesses those tokens can only access the associated data in specific ways amid a number of other potential limitations. This significantly reduces the damage potential of stolen OAuth tokens.
For example, OAuth security practices enable end users to place various limitations on the operations that recipients can perform as well as the data that recipients can access. This tiered level of authorization access regarding user data is the most substantial difference between API keys and OAuth tokens.
The primary purpose of OAuth is to provide options for handling various authorization levels across different user channels. Along that line is the ability for OAuth security developers to create temporary tokens. These tokens expire after a predetermined period of time, making them great for temporary authorizations.
These tokens help further prevent the damage potential of stolen tokens. A similar analogy is changing your password after your account gets hacked. Depending on the nature of your system, this could lock out any unauthorized users.
If you’re developing an application that could benefit from temporary tokens, you might want to consider OAuth. Alternatively, software like DreamFactory can enable detailed customizations along the same lines for API key security practices.
OAuth security tokens excel at enabling developers to manage user data. Whereas standard API key security practices struggle to handle write permissions mixed in with individual user authorizations, OAuth is designed to do just that.
OAuth security practices make it easy to manage personal user data, any number of repositories, notifications, and various aspects typically associated with control management tools like Git (including data on both read and write access authorization protocols).
The downside to all of this is that it takes a good deal of work to set up these tokens. OAuth’s lack of simplicity is one of the main differences between OAuth security and API key security.
Blaine Cook and a team of developers produced the first iteration of OAuth (OAuth Core 1.0) in July of 2007. API keys, on the other hand, were invented in 2000. For about seven years, API key security was the only reputable option available to developers looking to secure REST APIs.
Because OAuth security is newer than API key security, it has had less time to catch on and many legacy systems were built using API key security. To avoid the hassle of updating and overhauling legacy systems, many developers choose instead to continue with the simple, easy-to-navigate, API key security practices.
Over time, the prevalence of OAuth-proficient developers will no doubt increase. However, API keys are likely to remain the more popular choice for securing REST APIs, due to software like DreamFactory, which enables universal legacy API support.
When it comes to development speed, simplicity is the name of the game. Unfortunately for OAuth security, that’s a game that API keys win every time. The difference in simplicity is further widened when you compare the various kinds of API configuration software. For example, DreamFactory can configure and deploy an API key in a matter of seconds.
OAuth on the other hand requires an amount of time that varies depending on the complexity of the key. Developers can write a simple read-write key with no expiration date, designed to fit into the authorization header, and without detailed user authorization levels in a few minutes. However, more complex tokens can require substantially more time to develop.
Of course, OAuth security experts may be able create complicated OAuth tokens in a matter of a few minutes. That being said, the steep learning curve tends to make OAuth security more of a challenge than API key security.
For the most part, anybody you ask “Where do OAuth security tokens go?” will tell you to put them in the authorization headers. This is standard practice for both OAuth tokens and API keys. The difference, however, is that API keys have a greater number of possible placement locations. Granted, this is somewhat of a moot point, as API keys will still almost always be managed in the header.
Attaching tokens to URI endpoints can result in decreased security. After all, every endpoint is a doorway for a hacker, so writing the password on the door frame can prove problematic. While this analogy is a good bit of an overstatement, the underlying point remains accurate.
Technically, you can place OAuth tokens in a number of locations (e.g., query strings, headers, etc.). However, performance may decrease depending on the location. API key-based security protocols, on the other hand, have little to no problems in that regard.
The race is almost too close to call. OAuth security is a fantastic option for managing user data and write permissions, especially when dealing with multiple authorization levels across a database. API key security, on the other hand, is a fantastic option for rapid deployment, compatibility, and so on.
When it comes to securing REST APIs, the best way to do so is through the use of API keys. These simple tools are great for developers looking for a faster way to bolster their API security practices, the API key protocols work great for a larger number of applications and purposes than OAuth tokens, and the list goes on.
When it comes to managing REST APIs, you’re going to want to have the best API management tools at your disposal. That means using DreamFactory to build, configure, and deploy your API security systems.
Not only is DreamFactory less than 6% of the cost of competitors like MuleSoft, we also offer universal HTTP connection. That means that you can easily incorporate any legacy systems migration, previous configurations of API keys, and similar programs into the DreamFactory system and into your application.
For more information on how DreamFactory can help you better secure REST APIs, head over to DreamFactory.com and start your free trial today.
Join the DreamFactory newsletter list.