Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API Security confusion #26

Open
John-Bosch opened this issue Feb 19, 2020 · 2 comments
Open

API Security confusion #26

John-Bosch opened this issue Feb 19, 2020 · 2 comments
Assignees
@rahariya

Comments

@John-Bosch
Copy link

In the API Security section, under Authentication and Authorisation (please, use the Australian english spelling), the dot points seem to suggest that both an Authorization header and an API key must be used. Is this the intention?

I do agree that just using an API key is not sufficient in most circumstances, but requiring both seems overkill.
@rahariya
Copy link
Collaborator

They both serve different purpose.

API keys are for projects i.e it provides an identification as to which project is making an api call, where as authentication is for users i.e. to check if calling application has been granted access to call the API.

I guess API Key should be included in every api call, where as Authorization header should be on case by case basis.

@rahariya rahariya mentioned this issue Jul 31, 2020
Merged
@ryanotella
Copy link

An API key can be delivered in an Authorization header. OAuth2 Client Credentials grant type will also use an Authorization header as the transport for non-human identity authorisation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rahariya rahariya

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ryanotella @John-Bosch @rahariya