We're Hiring!

Can I Share My API Key?

Cyber security concept; blue key and keyhole

An API key is a token provided by a client when making API calls. It is used to authenticate and authorize access to specific resources. In this article, we answer the question, "Can I share my API key?" and provide some guidance on when it is appropriate to do so.

What is an API key and what does it do? 

An API key is a unique string of characters that identify the client making the API call. The key is used to authenticate the identity of the client and authorize access to specific resources. When a client makes an API call, the key is sent along with the request. The server then checks the key against a database of authorized keys and, if a match is found, allows the request to proceed. If no match is found, the request is denied.

Google Cloud diagram - API Keys and Tokens

(Image source: cloud.google.com)

Scenarios where I can share my API key with other people or businesses 

There are certain scenarios where it may be appropriate to share your API key with other people or businesses. For example, if you are working with a partner on a project, you may need to give them access to your APIs for them to be able to work on the project. In another scenario, you may need to give your API keys to a third-party service provider for them to be able to access your data. 

Benefits of using an API key for mobile app development

API keys have several benefits for mobile app developers:

  • First, they help to ensure that only authorized clients have access to your APIs. This helps to protect your data from unauthorized access. 
  • Second, they help you to track and monitor the usage of your APIs by different clients. This information can be useful in troubleshooting and debugging issues. 
  • Finally, using API keys can help you manage and control access to your APIs on a per-client basis. 

Granting and revoking access to the API

Controlling who has access to an API is an integral part of mobile app development. Only the project owner can manage access to an API in default settings. However, there may be times when you need to grant or revoke access to the API. For instance, you may need to give a developer temporary access to the API to debug an issue or, you may need to revoke access to the API if a developer leaves the company. In either case, it is important to have a process in place for controlling API access. This process should include both granting and revoking access as needed. By taking these steps, you can help ensure that only authorized developers have access to your API.

Recommendations

Sharing your API keys should only be done in specific scenarios where it is necessary and where you trust the person or business that will be receiving them. When granting access, always generate a new key for each client so that you can easily revoke their access if necessary. That said, there are additional security measures you can deploy to safely continue to use API keys in a mobile context.

It's common to complain when mobile developers include API keys in the published app code and, given that mobile apps can be downloaded by anyone from the app stores, you can understand why those complaints happen. However, many app developers are not aware of other approaches which can be taken to protect API keys. Let's briefly consider a couple of viable options.

Firstly, if the API backend is set up to only accept API keys as valid if they are sent from genuine mobile app instances running on a safe mobile devices, it means that 'leaked' API keys would not be useful to bad actors. Think of this as a second factor which is independently verified at the point that the API key is to be used. Mobile app attestation is an example of this and can easily be applied to ensure that API keys can't be used via scripts.

Secondly, and this is particulary useful in the case that 3rd party APIs are accessed directly from a mobile app, just in time delivery of the API key at the precise time it is needed to make an API call will ensure that the API key does not need to permanently reside in the app code, meaning that reverse engineering the downloadable app will not help the hacker. 

To learn more about securing your mobile apps, API Keys and APIs with Approov, sign up for our free trial today or contact us to discuss your use case.

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.