Terence Bennett - March 20, 2024
REST, a.k.a. Representational State Transfer, is an architectural style commonly used in software development. Applications built via REST-style development tend to be excellent examples of distributed hypermedia applications. However, they don’t often have excellent innate security options. That’s where API keys and OAuth tokens come in. In this article, we’ll cover how to secure REST APIs with either API keys or OAuth.
Here’s the key things to know about securing REST APIs with API keys or OAuth:
- REST API security is important to prevent unauthorized access to data.
- There are two main ways to secure REST APIs: API keys and OAuth tokens.
- API keys are good for read-only data, but not as good for authorization.
- OAuth tokens are better for authorization, but can be more complex to implement.
- The best way to secure a REST API depends on the specific needs of the application.
Table of Contents:
As Dr. Fielding wrote in his 2000 dissertation, “[REST’s layered system allows] security policies to be enforced on data crossing the organizational boundary, as is required by firewalls.” This enables API keys and OAuth tokens to function exactly as designed. In fact, each of these two types of REST security were designed to function similar.
But, as every developer knows, intention and impact are often different. In order to get the most out of your application’s security programs, you’ll need to know whether to use an API key or OAuth. Though it may sound counterintuitive, these similar security styles could not be more different.
What Does Securing a REST API Mean?
REST API security involves using data protections to authenticate users and prevent the unauthorized access of various web endpoints. Without a secure REST API complete with detailed authentication protocols, any computer savvy individual can manipulate your data with virtually no limitations on access.
Securing a REST API means that this will not be as much of a problem.
In other words, securing a REST API means reducing the risk of unauthorized or unauthenticated users from accessing, deleting, or otherwise altering data. Developers can do this through a variety of different protocols, two of which we’ll discuss in greater detail throughout this article: API keys and OAuth.
Without following proper REST API security guidelines, these problems can cripple your organization.
REST API Security Guidelines
Through the use of software like DreamFactory, which uses automatic RESTful API configuration, securing a REST API becomes a simple process. This kind of software hits on the most important REST API security guidelines, enabling you to protect HTTP methods, defend against cross-site request forgeries, and so on.
First things first, a proper REST API must have rock-solid authentication protocols complete with input validation and automated audits. This triad of security practices prevents unauthorized users from accessing certain datasets, prevents user error, and prevents URL-hijacking (a.k.a. DNS hijacking, which can have disastrous effects if left unattended).
Once authentication and input verification protocols are in place, output verification protocols should also go into effect. This can prevent improper browser interpretations and cross-site scripting vulnerabilities.
This is by no means an exhaustive list. There are a number of other measures to take when implementing proper REST API security guidelines. That’s why it’s important to use a software like DreamFactory for API key security.
API Keys or OAuth?
Now that you’ve gotten an in-depth refresher on REST API security and its importance, it’s time to get back to the question at hand: Should you use an API Key or OAuth token? The issue of how to secure REST APIs is solved through the use of API key security of OAuth tokens, but each of these two options comes with a number of pros and cons.
If you’re unfamiliar with Oauth security protocols, here’s a quick refresher. OAuth comes in two styles: OAuth 1 and OAuth 2. For purposes of this article, we’ll discuss the more popular OAuth 2 with a brief look at OAuth 1. OAuth uses cryptographic tokens to protect passwords and other user-data identifications both in transit and in storage.
The OAuth authorization protocol and API key cryptographic security system share a number of similarities and an equally large number of differences. Despite their shared intention (securing REST APIs) each works better than the other when it comes to various specifics and performance requirements. At the end of the day, though, only one option is best for REST API security.
We’ll get to that after analyzing the pros and cons of each of these two cryptographic security protocols.
Benefits of API Keys
API Keys and APM Platforms are Often Designed to Work Together
API key security practices are incredibly common. So much so, in fact, that many of the most popular application performance monitoring platforms and software are designed around them, enabling users to gain specific APM metrics on the performance of their various keys, APIs, etc.
OAuth tokens are used to significantly lesser extent, meaning that APM compatibility for developers who prefer to use OAuth tokens may be limited. That problem tends not to arise for users of API key security protocols.
API keys used in REST API security practices can also benefit from universal HTTP connectors. For example, the universal HTTP connector that DreamFactory offers is compatible with many of the most effective API keys.
API keys are incredibly simple and easy to integrate when using an API management solution.
Expert software developers can write, configure, and deploy API key security protocols in a matter of minutes. For most developers, however, an API management solution is necessary to reduce the difficulty and complexity of API development.
Once an API key is deployed, it’s ready to go. From then on, all you have to do to access it and the data that it protects is log in, find where it’s saved, and copy/paste it into your authorization portal.
API keys can also be used somewhat universally, with the same key being used across multiple applications. There are a number of reasons why you should never do that, however, and more experienced web application developers can use simple practices and REST API security guidelines to bypass these concerns.
With DreamFactory, API key security is even easier. In only a few clicks, you can generate any number of individual API keys for use in securing REST applications.
API keys are exceptional at limiting risk of read-only data.
When it comes to read-only data, there’s almost nothing as secure as an API key. API key security is an excellent option for authentication but a less-than-ideal option for authorization, meaning that simple read-only APIs (which require less granular permissions) may function better.
API key security enables easier access, quicker response times, and even opens the door to reducing database query load, assuming that your system has a fully optimized content delivery network (CDN) capable of distributing cached content without causing any additional memory bloat.
When it comes to the overwhelming majority of websites and endpoints, the public user only needs to read data but needs to read a lot of it. The simplicity of API key security combined with its exceptional read-only protections makes it both easy and effective to deploy large numbers of API keys to cover all read-only data.
Of course, it is important to note that API keys are not a method of authorization. Instead, they are simply a method of authentication. That means that they may struggle with write permissions without the proper configurations (e.g., an additional role-based access control system) and without following proper API key security guidelines.
Disadvantages of API Keys
Read-only API keys are limiting when it comes to data that requires specific permissions.
This is the flip side of one of the more important advantages of using API keys to secure REST APIs. Whereas API keys excel at securing read-only data, these keys don’t do particularly well when securing write permissions. When user data and role-based access controls (RBACs) are thrown into the mix, creating these API keys also becomes significantly more complicated.
That’s where software like DreamFactory comes in. This kind of software supports typing an RBAC to an API key with any number of role-based permissions, helping to bridge the gap between authentication and authorization.
It’s important to note, however, that API keys are only a form of authentication. In their standard use, API keys are not great at authorizing various levels of access. Instead, anybody with the key can access all of the information, requiring individual API keys for each user.
While API keys excel in authenticating users, they struggle with authorizations.
When it comes to user-specific data, API keys tend to fall short without assistance from an outsourced API management software capable of handling the necessary role-based access control systems. This can be quite time consuming to develop without the proper software to speed the process up. However, user-controlled transactions and power transfers still require the transmission of the API key itself.
In order for end users to grant access to their specific data via an API key, they’ll have to copy and paste the token to their intended recipient. This opens the door for onlookers to monitor transactions in hopes of glimpsing the key in transit. Depending on the skill of this hacker, they may copy, intercept, or otherwise obtain the key without proper authorization.
A broken API key can annihilate data.
One of the most common methods of avoiding the above risks associated with API key security is to create apps that enable the creation of new API keys, generate multiple API keys, and/or revoke API keys. Standard operating procedures are to do just that through a single restricted administration console. This can significantly bolster API key security, but doesn’t fully erase the problem of corruptible data.
A single broken app can obliterate the API key — and thus the user data — to which it is tied. The problem is further worsened if you use the same API key across multiple applications.
Benefits of OAuth
OAuth security tokens are great at authorizing levels of access for specific users.
The major reason developers of web applications turn to OAuth security is to handle authorization levels for various end users. For example, Facebook uses OAuth tokens to enable its public developer partners to better manage their user data, grant permissions, and so on.
Developers can tie OAuth tokens to different scopes, meaning that whoever possesses those tokens can only access the associated data in specific ways amid a number of other potential limitations. This significantly reduces the damage potential of stolen OAuth tokens.
For example, OAuth security practices enable end users to place various limitations on the operations that recipients can perform as well as the data that recipients can access. This tiered level of authorization access regarding user data is the most substantial difference between API keys and OAuth tokens.
OAuth security tokens can be set to expire.
The primary purpose of OAuth is to provide options for handling various authorization levels across different user channels. Along that line is the ability for OAuth security developers to create temporary tokens. These tokens expire after a predetermined period of time, making them great for temporary authorizations.
These tokens help further prevent the damage potential of stolen tokens. A similar analogy is changing your password after your account gets hacked. Depending on the nature of your system, this could lock out any unauthorized users.
If you’re developing an application that could benefit from temporary tokens, you might want to consider OAuth. Alternatively, software like DreamFactory can enable detailed customizations along the same lines for API key security practices.
OAuth security tokens offer exceptional access to user data.
OAuth security tokens excel at enabling developers to manage user data. Whereas standard API key security practices struggle to handle write permissions mixed in with individual user authorizations, OAuth is designed to do just that.
OAuth security practices make it easy to manage personal user data, any number of repositories, notifications, and various aspects typically associated with control management tools like Git (including data on both read and write access authorization protocols).
The downside to all of this is that it takes a good deal of work to set up these tokens. OAuth’s lack of simplicity is one of the main differences between OAuth security and API key security.
Disadvantages of OAuth
OAuth security is less popular (and less commonly understood) than API keys.
Blaine Cook and a team of developers produced the first iteration of OAuth (OAuth Core 1.0) in July of 2007. API keys, on the other hand, were invented in 2000. For about seven years, API key security was the only reputable option available to developers looking to secure REST APIs.
Because OAuth security is newer than API key security, it has had less time to catch on and many legacy systems were built using API key security. To avoid the hassle of updating and overhauling legacy systems, many developers choose instead to continue with the simple, easy-to-navigate, API key security practices.
Over time, the prevalence of OAuth-proficient developers will no doubt increase. However, API keys are likely to remain the more popular choice for securing REST APIs, due to software like DreamFactory, which enables universal legacy API support.
OAuth security is more complicated than API key security.
When it comes to development speed, simplicity is the name of the game. Unfortunately for OAuth security, that’s a game that API keys win every time. The difference in simplicity is further widened when you compare the various kinds of API configuration software. For example, DreamFactory can configure and deploy an API key in a matter of seconds.
OAuth on the other hand requires an amount of time that varies depending on the complexity of the key. Developers can write a simple read-write key with no expiration date, designed to fit into the authorization header, and without detailed user authorization levels in a few minutes. However, more complex tokens can require substantially more time to develop.
Of course, OAuth security experts may be able create complicated OAuth tokens in a matter of a few minutes. That being said, the steep learning curve tends to make OAuth security more of a challenge than API key security.
OAuth security tokens are best used in authorization headers.
For the most part, anybody you ask “Where do OAuth security tokens go?” will tell you to put them in the authorization headers. This is standard practice for both OAuth tokens and API keys. The difference, however, is that API keys have a greater number of possible placement locations. Granted, this is somewhat of a moot point, as API keys will still almost always be managed in the header.
Attaching tokens to URI endpoints can result in decreased security. After all, every endpoint is a doorway for a hacker, so writing the password on the door frame can prove problematic. While this analogy is a good bit of an overstatement, the underlying point remains accurate.
Technically, you can place OAuth tokens in a number of locations (e.g., query strings, headers, etc.). However, performance may decrease depending on the location. API key-based security protocols, on the other hand, have little to no problems in that regard.
Best Ways to Secure REST APIs
When it comes to keeping REST APIs safe, it’s like making sure your online house is secure; you want strong locks on the doors and to ensure that only those with the right key can get in. It’s crucial to keep out uninvited guests who might want to snoop around or cause trouble.
Understanding REST API Security
Securing a REST API entails more than just erecting a digital barrier; it’s about establishing a vigilant gatekeeper to authenticate identities and scrutinize the level of access each identity can have. The aim is to protect the API from unauthorized entry and manipulation, which can jeopardize both data integrity and user trust. In essence, a secure REST API is the digital equivalent of a well-guarded fortress, complete with checks and balances to control who can enter and what they can do within its walls.
Selecting the Right Security Protocol
With the array of security measures available, it can be challenging to determine whether to implement API keys or OAuth tokens. This choice significantly impacts the API’s security posture. API keys act as simple, yet powerful, passcodes that grant access, while OAuth tokens are akin to sophisticated passports that not only grant access but also specify the degree of interaction allowed with the API. Each method has its unique set of advantages and potential drawbacks, and the optimal choice depends on the specific requirements of the application.
Which Protocol is Best to Secure REST APIs?
The race is almost too close to call. OAuth security is a fantastic option for managing user data and write permissions, especially when dealing with multiple authorization levels across a database. API key security, on the other hand, is a fantastic option for rapid deployment, compatibility, and so on.
When it comes to securing REST APIs, the best way to do so is through the use of API keys. These simple tools are great for developers looking for a faster way to bolster their API security practices, the API key protocols work great for a larger number of applications and purposes than OAuth tokens, and the list goes on.
DreamFactory and API Security
When it comes to managing REST APIs, you’re going to want to have the best API management tools at your disposal. That means using DreamFactory to build, configure, and deploy your API security systems.
Not only is DreamFactory less than 6% of the cost of competitors like MuleSoft, we also offer universal HTTP connection. That means that you can easily incorporate any legacy systems migration, previous configurations of API keys, and similar programs into the DreamFactory system and into your application.
For more information on how DreamFactory can help you better secure REST APIs, head over to DreamFactory.com and start your free trial today.
Frequently Asked Questions: How to Secure REST APIs
What is REST API security?
REST API security is the practice of securing RESTful APIs (Application Programming Interfaces) from unauthorized access. REST APIs are used to expose data and functionality to other applications, and they can be a target for attackers.
What are the two main ways to secure REST APIs?
There are two main ways to secure REST APIs: API keys and OAuth tokens. API keys are a simple way to authenticate users, but they don’t provide granular authorization control. OAuth tokens are more complex to implement, but they offer more granular authorization control and can be set to expire.
What are the benefits of using API keys to secure REST APIs?
API keys are a simple way to authenticate users, and they are often supported by a wide range of API management platforms. They can also be used to track usage and generate reports.
What are the drawbacks of using API keys to secure REST APIs?
API keys can be difficult to manage, and they don’t provide granular authorization control. If an API key is compromised, it can give an attacker access to all of the data that the API exposes.
What are the benefits of using OAuth tokens to secure REST APIs?
OAuth tokens offer more granular authorization control than API keys. They can also be set to expire, which helps to protect against unauthorized access.
What are the drawbacks of using OAuth tokens to secure REST APIs?
OAuth tokens can be more complex to implement than API keys, and they are not supported by all API management platforms.
What is the best way to secure a REST API?
The best way to secure a REST API depends on the specific needs of the application. If you need to support read-only access to data, API keys may be a good option. If you need to support more granular authorization control, OAuth tokens may be a better choice.
Related Reading:
Terence Bennett, CEO of DreamFactory, has a wealth of experience in government IT systems and Google Cloud. His impressive background includes being a former U.S. Navy Intelligence Officer and a former member of Google’s Red Team. Prior to becoming CEO, he served as COO at DreamFactory Software.