An application programming interface (API) key is a unique code used in an API to identify the calling application or user. API keys are used to track and control who uses the API and how, and to authenticate and authorize applications – similar to how usernames and passwords work. An API key can be a single key or a set of multiple keys. Users should follow best practices to improve their overall protection against API key theft and avoid the related consequences of having their API keys compromised.

API and API key

To understand what an API key is, you first need to understand what an API is. An application programming interface, or API, is a software intermediary that allows two or more programs to exchange information. For example, the CoinMarketCap API allows other applications to retrieve and use cryptocurrency data such as price, volume, and market capitalization.

The API key can be of different forms. This can be a single key or a set of multiple keys. In various systems, these keys are used for application authentication and authorization in the same way that a username and password are used. The API key is used by the API client to authenticate the application calling the API.

For example, if Binance Academy wants to use the CoinMarketCap API, an API key will be generated in CoinMarketCap and used to authenticate the Binance Academy (API client) requesting access to the API. When Binance Academy accesses the CoinMarketCap API, this API key should be sent to CoinMarketCap with the request.

This API key should only be used through Binance Academy and may not be shared or sent to others. Sharing this API key will allow a third party to access CoinMarketCap as Binance Academy, and any actions by the third party will appear as if they originate from Binance Academy.

The API key can also use the CoinMarketCap API to confirm that the application is allowed to access the requested resource. In addition, API owners use API keys to monitor API activity, such as request types, traffic, and volume.

What is an API key?

The API key is used to control and track who uses the API and how it is used. The term "API key" can mean different things to different systems. Some systems have one code, others may have multiple codes for a single "API Key".

Thus, an "API Key" is a unique code or set of unique codes used in an API to authenticate and authorize the calling user or application. Some codes are used for authentication, while others are used to create cryptographic signatures that confirm the legitimacy of the request.

These authentication codes are commonly referred to as an "API key", while the codes used for cryptographic signatures have various names such as "secret key", "public key" or "private key". Authentication involves identifying the individuals involved and confirming that they are who they say they are.

Authorization, on the other hand, specifies which API services are allowed to be accessed. The function of the API key is similar to the function of the username and password of the account; it can also be connected to other security features to increase overall security.

Each API key is typically generated for a specific object by the API owner (see below for details), and whenever an API endpoint call is made that requires user authentication or authorization, or both, the corresponding key is used.

Cryptographic signatures

Some API keys use cryptographic signatures as an additional layer of verification. When a user wants to send certain data to the API, a digital signature generated by another key can be attached to the request. Using cryptography, the API owner can verify that this digital signature matches the data sent.

Symmetric and asymmetric signatures

Data sent through the API can be signed with cryptographic keys that fall into the following categories:

Symmetric keys

This is the use of a single secret key to sign data and verify the signature. When using symmetric keys, the API key and secret key are usually generated by the API owner, and the same secret key must be used by the API service to verify the signature. The main advantage of using a single key is that everything happens faster and requires less computing power to generate and verify the signature. A good example of a symmetric key is HMAC.

Asymmetric keys

This is the use of two keys: a private key and a public key, which are different but cryptographically related. The private key is used to create the signature and the public key is used to verify the signature. The API key is generated by the API owner, and the private and public key pair is generated by the user. The API owner must use only the public key to verify the signature, so that the private key remains local and secret.

The main advantage of using asymmetric keys is the higher security of the separation of signature generation and key verification. This allows external systems to verify signatures without being able to generate them. Another advantage is that some asymmetric encryption systems support adding a password to private keys. A good example is an RSA key pair.

Are API keys safe?

The API key is the responsibility of the user. API keys are similar to passwords and should be handled with the same care. Sharing an API key is similar to sharing a password and therefore should not be shared with others as this will put the user's account at risk.

API keys are commonly targeted by cyberattacks because they can be used to perform powerful operations on systems, such as requesting personal information or financial transactions. In fact, there have been cases where crawlers have successfully attacked online code databases to steal API keys.

The consequences of API key theft can be serious and lead to significant financial losses. Additionally, since some API keys do not expire, attackers can use them indefinitely after theft until the keys themselves are revoked.

Guidelines for using API keys

Because of their access to sensitive data and their general vulnerability, the secure use of API keys is of paramount importance. You can follow these best practices when using API keys to improve their overall security:

  1. Change your API keys frequently. This means that you must delete your current API key and generate a new one. Generating and deleting API keys is fairly easy with most systems. Just as some systems require you to change your password every 30-90 days, you should change your API keys at the same frequency if possible.

  2. Use an IP whitelist: When creating an API key, create a list of IP addresses that can use the key (IP whitelist). You can also specify a list of blocked IP addresses (IP blacklist). That way, even if your API key is stolen, it still cannot be accessed by an unknown IP address.

  3. Use multiple API keys: Having multiple keys and dividing responsibilities between them will reduce security risk because your security won't depend on a single key with extended permissions. You can also set different IP whitelists for each key, further reducing your security risk.

  4. Store API keys securely: Do not store keys in public places, on public computers, or in plain text format. Instead, store each key with encryption or a password manager for added security, and be careful not to accidentally reveal them.

  5. Do not share your API keys with anyone. Sharing an API key is similar to sharing your password. In doing so, you grant your authentication and authorization privileges to the other party. If these are compromised, your API key can be stolen and used to hack your account. An API key should only be used between you and the system that generates it.

If your API key is compromised, you must first disable it to prevent further damage. If there are financial losses, take screenshots of key information related to the incident, contact the relevant organizations and file a police report. This is the best way to increase your chances of recovering lost funds.

Results

API keys provide basic authentication and authorization functions, and users should carefully manage and secure their keys. There are many layers and aspects to ensuring the secure use of API keys. In general, the API key should be treated as the password to your account.

  • General safety principles

  • 5 Common Cryptocurrency Scams and How to Avoid Them