I'm looking for suggestions about a RESTful API design. I've read a lot about REST API schemes, ways of authentication/authorization etc. What I can't decide is if I really need to use API keys. From what I understand using API keys is useful if you want to monitor the usage, limit each application's requests and for statistical data.
What I want to avoid is having to create additional web interfaces for adding/managing/removing applications and adding/removing application administrators. Maybe there's a simpler way to do the API key distribution. Or do I really need those? I mean, monitoring and limiting the usage is cool and sounds useful but does it deserve the other things I need to make for keys distribution.
To be more specific my website is something like slideshare and scribd. I want to give API access to its functions like adding and managing documents and getting information about users. So for example to upload a file you need to somehow authenticate and use a specific account to do it. In this case is an API key a requirement or I can just stick with authenticating users?
So what do you think is the best way for me to handle API keys? Or should I use them at all? Is there a more clever way to distribute (create, remove) the keys?
Thanks in advance :)
well do you know mashery http://www.mashery.com/ and programmableweb?
maybe there are some useful ressources http://www.mashery.com/solution/collegeboard
and http://www.3scale.net/
i would use api keys for statistics and limitation but also serve some services without an api key like google does
You can create easily APIs with solutions like
Restler http://luracast.com/products/restler/
Frapi http://getfrapi.com/
The Datatank http://thedatatank.com/
Services (just for Drupal) http://drupal.org/project/services
there are some more: http://blog.programmableweb.com/2011/09/23/short-list-of-restful-api-frameworks-for-php/
I answered in the post above too - but ran out of space. As a disclaimer I work for 3scale (http://www.3scale.net) so you might want to parse my response based on that :).
The answer to your question really depends on what resources your API exposes and what you're aiming to track/limit. It sounds like most functions are tied to a user account of some kind, but could be implemented by 3rd parties.
In this case the most useful pattern is probably to have an identifier (public or secret) for each application which calls the API + also user credentials. The application identifier could be an APIKey or even just a name (e.g. "tweetdeck"). If you end up with a lot of third party applications then it is probably useful to track these identifiers (which implies a minimum a way to issue them) and know who built each app + have the ability to turn them off (if only to shut down those that abuse your user-base). You might also want to rate the limit the amount of traffic each user and app can generate on the API, so it's again useful to have an identifier.
Also, if your authenticating users, but allowing third parties to write the apps your users use, definitely consider oAuth (http://www.oauth.net) to avoid rogue code / sites capturing your user passwords.
You mention above that you're not keen on external services - no problem, 3scale works by actually doing all the API auth local to your systen (e.g. with one of the code plugins: https://support.3scale.net/libraries or in a proxy like Varnish: https://github.com/3scale/libvmod-3scale/) and then does tracking in the cloud. Obviously it doesn't fit all use cases, but can give you a bunch of useful tools out of the box.