Security - What is a KEY API?


I'm seeing this word in almost every service application ..

What really is a KEY API and what are its uses?

How does it really work?

Also please, if possible, explain the difference between public and private API KEYs.

asked by anonymous 26.08.2016 / 13:36

4 answers


API Keys are access credentials provided to authorize the use of specific functionality of an API. There are several types of implementations.

  • Web applications: API Keys can be provided as # via cookies or HTTP headers; in backend operations, may be part of the original request URI .
  • Desktop applications: API Keys can be used to access the functionality of a third-party library.

The public or private API key sense also depends on the implementation. For example, you may have a public key issued to your client (say that allows access to a specific API (, which is then used by your browser. However server-to-server calls use another, private key for more sensitive operations such as authentication and credential validation.

26.08.2016 / 14:28


Basically an API is a set of routines and programming standards for accessing a software application or Web-based platform. The acronym API refers to the English term "Application Programming Interface" which stands for "Programming Interface Applications "translating into Portuguese.

Generally API is developed when a software company intends that other software developers develop products associated with its service. There are several companies that provide their codes and instructions for use in other sites in the most convenient way for their users. There is YouTube, Google Maps, Facebook, Twitter; which are great examples in the area of APIs. Through their original code, many other sites and applications use the data to best adapt it to use these services.

Why expose the data?

For some specific reasons, exposing certain data and resources is a well thought out business strategy and innovation. It is important to think of some reasons for this data exposure. Keep these aspects in mind:

  • Integrate your platform with partners; Generate innovation about your own data in a way you could not alone;
  • Generate development of your own platform in new media; Generate more market and expand target audience;
  • Organization of the IT industry, where APIs are the other internal teams of the company, and the exposed APIs serve as data interchange portals.
  • Therefore, the API is an interface to the assets (data) of the company, but at the same time bar abusive uses of these assets.


From the free English translation, "Key". Referring to the meaning of the Portuguese we have, which is a metal utensil that is inserted into the lock to which it belongs to move the bolt, and which makes it possible to open or close doors, covers, locks, etc.

Given this, the API KEY , this often acts as a unique identifier and a secret key for authentication, and usually have a set of < strong> API associated with it. A KEY API can be system based UUID is the acronym for Universally unique identifier, which translates into Portuguese Universal Unique Identifier, to ensure that it will be unique for each user. It's quite simple to understand because the self-explanatory name, but the UUID concept is something more complex and very functional.

In the case of Google Map, your 'KEY API' is based on a short form of your application's digital certificate, known as a fingerprint SHA-1 . To view the SHA-1 fingerprint of your certificate, first make sure you are using the correct certificate, which is a certificate for debugging and publishing.


Keep your secret key and access tokens private. You can   share them with an agent that is operating in your application, if   he signs a confidentiality agreement.

The Facebook KEY API is a sequence of randomly generated numbers that you create each time a person registers your application through the site. Always totally numeric in nature and consists of 15 characters. But it is only for this case, because each company has its policy for creating keys, being numerical, just letters, etc.

API keys allow you to generate an authentication credential that is separate from your username and password in some cases. You must create unique API keys for each of your applications or servers so that you can easily revoke them without interrupting other systems if necessary.

More details

26.08.2016 / 15:19

This is a very broad question ...

The exact function of an API key depends greatly on the entity that generated it and for what purpose.

Generally, a KEY API is the name given to a secret token that is sent inside a request to a webservice , in order to identify and often authenticate the user who is calling the service.

The key can also be included as part of an entire request signature in order to check its contents and prevent attacks like replay and man-in -the-middle

In addition, in cases where you need to authenticate the user before he can access a feature of your webservice, there is a great advantage of using a KEY API. This type of key / token enables an authentication form stateless where you do not need to create sessions, make use of cookies or any other conditional / temporary state that would require additional calls and session control mechanisms.

On the other hand, if you have a pair of keys (public and private) then we are talking about some form of asymmetric encryption . The techniques that involve this type of encryption are more complex and more secure to positively identify the origin and authenticity of a message, while protecting it from changes.

26.08.2016 / 14:04

API Keys , as has been said , are access credentials provided by way to authorize the use of specific functionality of an API and are used to monitor and control the way the API is being used, for example to prevent misuse or abuse of the API.

API Keys allow you to generate an authentication credential that is separate from your username and password. They are independent of one another and are easily disposable. You should create a single API Key for each of your applications or servers so that you can easily revoke them without interrupting other systems if necessary.

In this site , in English, shows the top 6 reasons to use an API key and how to use them.

Public API, as its name says, this key is public and can be viewed by anyone, which does not compromise the security of information. The private must be kept completely private and safe, because with it can be made queries that compromise security. It depends on the implementation.


28.09.2016 / 15:19