OAuth (Access Token) Vs API Key

2019-01-17 07:13发布

问题:

I have came across lots of articles and many suggesting to use OAuth over API Key. From my understanding, in OAuth, we are finally getting access token and it is valid for many days. One example is, QuickBooks online OAuth token is valid for 6 months.

So, access token is equivalent to API Key. Whoever gets it, should have it secure similar like API Keys. And OAuth calls should be made via HTTPS similar to API Key based calls.

Another advantage over OAuth is Authorization. But we can do the same with API Key model. For example, we can define rules in our database like these API keys can access these APIs.

Now, What is the real advantage of OAuth? If we implement OAuth, we have to ask all our clients to install OAuth supporting libraries in their server. And it is a complex task for them and also for us. Whereas in API Key model it is a simple web call with no other additional libraries and complexities.

My intention is just to understand OAuth better and not compare & argue with API Key model.

Note:
I'm not talking about Google & LinkedIn kind of model where users have to see and give permissions. I'm just talking about APIs that we provide to our own customers.

Thanks for your help in advance.

回答1:

You need OAuth only when you want to enable a user of your service to allow a third-party client application to access his/her data hosted in your service without revealing his/her credentials (ID & password) to the application.

What a pair of API key & API secret can do is just authentication of a client application. If it is okay for you to allow an authenticated client application to access a user's data without explicit consent by the user, you don't have to use OAuth.



标签: api oauth