Applications running on computers, mobile telephones and other types of processing devices are often configured to utilize application programming interface (API) keys in order to access protected resources over a network. By way of example, an API key may be submitted in conjunction with a service request directed to a server over the Internet in order to uniquely identify the source of the request. The corresponding API on the server can grant or deny access to services based on the identity of the request source as reflected by the API key. Accordingly, the API key may be viewed as supporting a type of user authentication that serves to control access to protected resources.
A more particular example of an application that utilizes API keys is a content aggregator application. Such an application is generally configured to gather information for a given user from multiple designated services including news feeds and social media sites such as Facebook and Twitter. The content aggregator application then presents all of the gathered information to the user in a unified view.
The requests generated by the application may be encoded as hypertext transfer protocol (HTTP) requests. A given such request includes an API key that identifies the user in a manner that can be understood by the corresponding service.
Unfortunately, conventional API keys can present significant problems in terms of security. For example, API keys in many cases are implemented as static passwords, and are therefore highly vulnerable to interception and replay by attackers. Such attackers could use the API key to disrupt the server or to accrue unauthorized charges on a user account. These and numerous other potential issues associated with use of static passwords can undermine the effectiveness and utility of API keys in a wide variety of applications.