smashbourne smashbourne - 2 months ago 18
reST (reStructuredText) Question

API Key in path

We have some IoT sensors that POST json payloads to an endpoint. They are configured with only a HTTPS URL to send to, no ability to setup authentication etc.

We need basic ability to see which sensor is sending data, and loosely prevent anyone from sending payloads. Full authentication will not be possible.

It was suggested we could put a token in the path and use it as a super basic API Key. I was wondering what the best format for the route should be...

/api/events/_ingest/api-key

/api/producer/api-key/events/_ingest

Answer

I was wondering what the best format for the route should be: /api/events/_ingest/api-key or /api/producer/api-key/events/_ingest

There's no best approach here, both are really bad. The API key does not belong to the URL. It should be sent in the standard Authorization HTTP header.


Once you mentioned in the comments that it will be something temporary, you could try a query parameter. It's still bad though. But you will be able to reuse this same route later, just moving the API key to a HTTP header, when your clients support it:

/api/events/_ingest?api-key=somecoolhashgoeshere
Comments