CINXE.COM

API Keys ≠ Security: Why API Keys Are Not Enough | Nordic APIs |

<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="utf-8"> <link media="all" href="https://nordicapis.com/wp-content/cache/autoptimize/css/autoptimize_9713d447752f82abde592f4503d6ad2f.css" rel="stylesheet"><title>API Keys ≠ Security: Why API Keys Are Not Enough | Nordic APIs |</title> <meta name="HandheldFriendly" content="True"> <meta name="MobileOptimized" content="320"> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link rel="apple-touch-icon" href="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/library/images/apple-icon-touch.png"> <link rel="icon" href="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/favicon.ico"> <meta name="msapplication-TileColor" content="#f01d4f"> <meta name="msapplication-TileImage" content="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/library/images/win8-tile-icon.png"> <link rel="pingback" href="https://nordicapis.com/xmlrpc.php"> <link rel="preconnect" href="https://cdn.cloudflare.com"> <link rel="preconnect" href="https://code.jquery.com"> <link rel="preconnect" href="https://fonts.gstatic.com"> <link rel="preconnect" href="https://snap.licdn.com"> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <!-- This site is optimized with the Yoast SEO Premium plugin v23.0 (Yoast SEO v23.8) - https://yoast.com/wordpress/plugins/seo/ --> <meta name="description" content="API Keys are not security. By design they lack granular control, and there are many vulnerabilities at stake: applications that contain keys can be decompiled to extract keys, or deobfuscated from on-device storage, plaintext files can be stolen for unapproved use, and password managers are susceptible to security risks as with any application. In this piece we outline the disadvantages of solely relying on API keys to secure the proper access to your data." /> <link rel="canonical" href="https://nordicapis.com/why-api-keys-are-not-enough/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="API Keys ≠ Security: Why API Keys Are Not Enough | Nordic APIs |" /> <meta property="og:description" content="API Keys are not security. By design they lack granular control, and there are many vulnerabilities at stake: applications that contain keys can be decompiled to extract keys, or deobfuscated from on-device storage, plaintext files can be stolen for unapproved use, and password managers are susceptible to security risks as with any application. In this piece we outline the disadvantages of solely relying on API keys to secure the proper access to your data." /> <meta property="og:url" content="https://nordicapis.com/why-api-keys-are-not-enough/" /> <meta property="og:site_name" content="Nordic APIs" /> <meta property="article:publisher" content="https://facebook.com/nordicapis" /> <meta property="article:published_time" content="2015-10-30T16:00:00+00:00" /> <meta property="article:modified_time" content="2024-07-23T10:12:57+00:00" /> <meta property="og:image" content="https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png" /> <meta property="og:image:width" content="1000" /> <meta property="og:image:height" content="750" /> <meta property="og:image:type" content="image/png" /> <meta name="author" content="Kristopher Sandoval" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:creator" content="@nordicapis" /> <meta name="twitter:site" content="@nordicapis" /> <meta name="twitter:label1" content="Written by" /> <meta name="twitter:data1" content="Kristopher Sandoval" /> <meta name="twitter:label2" content="Est. reading time" /> <meta name="twitter:data2" content="9 minutes" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://nordicapis.com/why-api-keys-are-not-enough/","url":"https://nordicapis.com/why-api-keys-are-not-enough/","name":"API Keys ≠ Security: Why API Keys Are Not Enough | Nordic APIs |","isPartOf":{"@id":"https://nordicapis.com/#website"},"primaryImageOfPage":{"@id":"https://nordicapis.com/why-api-keys-are-not-enough/#primaryimage"},"image":{"@id":"https://nordicapis.com/why-api-keys-are-not-enough/#primaryimage"},"thumbnailUrl":"https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png","datePublished":"2015-10-30T16:00:00+00:00","dateModified":"2024-07-23T10:12:57+00:00","author":{"@id":"https://nordicapis.com/#/schema/person/f822a253ce85891c9b2abf2f130c77dd"},"description":"API Keys are not security. By design they lack granular control, and there are many vulnerabilities at stake: applications that contain keys can be decompiled to extract keys, or deobfuscated from on-device storage, plaintext files can be stolen for unapproved use, and password managers are susceptible to security risks as with any application. In this piece we outline the disadvantages of solely relying on API keys to secure the proper access to your data.","breadcrumb":{"@id":"https://nordicapis.com/why-api-keys-are-not-enough/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://nordicapis.com/why-api-keys-are-not-enough/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://nordicapis.com/why-api-keys-are-not-enough/#primaryimage","url":"https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png","contentUrl":"https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png","width":1000,"height":750},{"@type":"BreadcrumbList","@id":"https://nordicapis.com/why-api-keys-are-not-enough/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://nordicapis.com/blog/"},{"@type":"ListItem","position":2,"name":"API Keys ≠ Security: Why API Keys Are Not Enough"}]},{"@type":"WebSite","@id":"https://nordicapis.com/#website","url":"https://nordicapis.com/","name":"Nordic APIs","description":"Making the Nordics programmable","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://nordicapis.com/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https://nordicapis.com/#/schema/person/f822a253ce85891c9b2abf2f130c77dd","name":"Kristopher Sandoval","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://nordicapis.com/#/schema/person/image/1dab092f1cb133b6f0836af85823e16f","url":"https://nordicapis.com/wp-content/uploads/kristopher_2-96x96.jpg","contentUrl":"https://nordicapis.com/wp-content/uploads/kristopher_2-96x96.jpg","caption":"Kristopher Sandoval"},"description":"Kristopher is a web developer and author who writes on security and business. He has been writing articles for Nordic APIs since 2015.","sameAs":["https://www.linkedin.com/in/krsando/"],"url":"https://nordicapis.com/author/sandovaleffect/"}]}</script> <!-- / Yoast SEO Premium plugin. --> <link rel='dns-prefetch' href='//code.jquery.com' /> <link rel='dns-prefetch' href='//cdnjs.cloudflare.com' /> <link rel="alternate" type="application/rss+xml" title="Nordic APIs &raquo; Feed" href="https://nordicapis.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Nordic APIs &raquo; Comments Feed" href="https://nordicapis.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Nordic APIs &raquo; API Keys ≠ Security: Why API Keys Are Not Enough Comments Feed" href="https://nordicapis.com/why-api-keys-are-not-enough/feed/" /> <script type="text/javascript" src="https://nordicapis.com/wp-content/cache/autoptimize/js/autoptimize_single_16623e9f7cd802cf093c325c511a739c.js" id="jquery-core-js"></script> <link rel="https://api.w.org/" href="https://nordicapis.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://nordicapis.com/wp-json/wp/v2/posts/3441" /><link rel='shortlink' href='https://nordicapis.com/?p=3441' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://nordicapis.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fnordicapis.com%2Fwhy-api-keys-are-not-enough%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://nordicapis.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fnordicapis.com%2Fwhy-api-keys-are-not-enough%2F&#038;format=xml" /> <link rel="icon" href="https://nordicapis.com/wp-content/uploads/cropped-logo_nordic_white-01-32x32.png" sizes="32x32" /> <link rel="icon" href="https://nordicapis.com/wp-content/uploads/cropped-logo_nordic_white-01-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://nordicapis.com/wp-content/uploads/cropped-logo_nordic_white-01-180x180.png" /> <meta name="msapplication-TileImage" content="https://nordicapis.com/wp-content/uploads/cropped-logo_nordic_white-01-270x270.png" /> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KX87BJSN');</script> <!-- End Google Tag Manager --> <!-- LinkedIn Ads --> <script type="text/javascript"> _linkedin_partner_id = "902698"; window._linkedin_data_partner_ids = window._linkedin_data_partner_ids || []; window._linkedin_data_partner_ids.push(_linkedin_partner_id); </script><script type="text/javascript"> (function(l) { if (!l){window.lintrk = function(a,b){window.lintrk.q.push([a,b])}; window.lintrk.q=[]} var s = document.getElementsByTagName("script")[0]; var b = document.createElement("script"); b.type = "text/javascript";b.async = true; b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js"; s.parentNode.insertBefore(b, s);})(window.lintrk); </script> <noscript> <img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=902698&fmt=gif" /> </noscript> <!-- GA4 --> <!-- Google tag (gtag.js) GA4 --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-19YZVH09CN"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-19YZVH09CN'); </script> <!-- Events Schema markup --> </head> <body class="post-template-default single single-post postid-3441 single-format-standard post-why-api-keys-are-not-enough"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KX87BJSN" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <div class="mobile-nav"> <div class="mobile-nav-inner"> <a href="#" class="mobile-nav-close"><svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="18" y1="6" x2="6" y2="18"></line><line x1="6" y1="6" x2="18" y2="18"></line></svg></a> <nav role="navigation"> <ul id="menu-mobile-nav" class="menu"><li id="menu-item-13204" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-13204"><a href="/blog">Blog</a></li> <li id="menu-item-20776" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-20776"><a href="https://nordicapis.com/newsletter/">Newsletter</a></li> <li id="menu-item-16457" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16457"><a href="https://nordicapis.com/api-event-calendar/">Event Calendar</a></li> <li id="menu-item-16458" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16458"><a href="https://nordicapis.com/call-speakers/">Call for Speakers</a></li> <li id="menu-item-19070" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19070"><a href="https://nordicapis.com/events/platform-summit-2024/">Platform Summit 2024</a></li> <li id="menu-item-19299" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19299"><a href="https://nordicapis.com/events/austin-api-summit-2024/">Austin API Summit</a></li> <li id="menu-item-16461" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16461"><a href="https://nordicapis.com/about/">About</a></li> <li id="menu-item-13205" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-13205"><a href="https://nordicapis.com/about/contact-us/">Contact Us</a></li> <li id="menu-item-13207" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-13207"><a href="https://nordicapis.com/api-ebooks/">E-books</a></li> <li id="menu-item-13209" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-13209"><a href="https://nordicapis.com/create-with-us/">Write</a></li> <li id="menu-item-16463" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16463"><a href="https://nordicapis.com/nordic-apis-for-women/">Nordic APIs for Women</a></li> <li id="menu-item-16462" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16462"><a href="https://nordicapis.com/nordic-apis-privacy-policy/">Privacy Policy</a></li> </ul> </nav> </div> </div> <a class="header-supported-by" href="https://curity.io/?utm_source=nordicapis&utm_medium=Link&utm_content=Header" target="_blank" rel="noopener noreferrer"> <span>Supported by</span> <img src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/logo_curity_white.svg" loading="lazy" width="117" height="30" alt="Curity Logotype" /> </a> <header class="header"> <div class="container relative"> <div class="flex flex-center justify-between"> <a href="https://nordicapis.com" class="header-logo" rel="homepage" title="Nordic APIs"> <img src="/wp-content/themes/nordic2/library/images/logo@2x.webp" alt="Nordic APIs"> </a> <nav role="navigation" class="header-nav"> <div class="flex justify-between items-center mr1"> <div class="flex flex-center flex-gap-1 mt1"> <ul id="menu-main-menu" class="menu"><li id="menu-item-433" class="newsmenu menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-433"><a href="https://nordicapis.com/blog/">Blog</a></li> <li id="menu-item-3860" class="menu-item menu-item-type-post_type_archive menu-item-object-ebooks menu-item-3860"><a href="https://nordicapis.com/ebooks/">eBooks</a></li> <li id="menu-item-417" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-417"><a href="/api-event-calendar/">Events</a> <ul class="sub-menu"> <li id="menu-item-19073" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19073"><a href="https://nordicapis.com/events/platform-summit-2024/">Platform Summit 2024</a></li> <li id="menu-item-2284" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2284"><a href="https://nordicapis.com/api-event-calendar/">Event Calendar</a></li> <li id="menu-item-7742" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7742"><a href="https://nordicapis.com/call-speakers/">Call for Speakers</a></li> <li id="menu-item-8907" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8907"><a href="https://nordicapis.com/student-volunteer/">Volunteer</a></li> </ul> </li> <li id="menu-item-7856" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-7856"><a href="https://nordicapis.com/partners/">Partners</a> <ul class="sub-menu"> <li id="menu-item-7857" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-7857"><a href="https://nordicapis.com/partners/">Our Partners</a></li> <li id="menu-item-7426" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7426"><a href="https://nordicapis.com/partner-with-us/">Partner With Us</a></li> </ul> </li> <li id="menu-item-509" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-509"><a href="https://nordicapis.com/about/">About</a> <ul class="sub-menu"> <li id="menu-item-13590" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13590"><a href="https://nordicapis.com/newsletter/">Newsletter</a></li> <li id="menu-item-517" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-517"><a href="https://nordicapis.com/about/contact-us/">Contact us</a></li> <li id="menu-item-8420" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8420"><a href="https://nordicapis.com/nordic-apis-privacy-policy/">Privacy Policy</a></li> <li id="menu-item-2164" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2164"><a href="https://nordicapis.com/create-with-us/">Create with Us</a></li> <li id="menu-item-8769" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8769"><a href="https://nordicapis.com/nordic-apis-for-women/">Nordic APIs for Women</a></li> </ul> </li> <li id="menu-item-13189" class="header-search menu-item menu-item-type-custom menu-item-object-custom menu-item-13189"><a href="#">Search</a></li> </ul> <button class="hamburger" type="button" aria-label="Menu"> <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line></svg> <span class="hamburger-text">Menu</span> </button> <button class="header-search">Search</button> <div> </nav> </div> </div> </header> <div class="header-search"> <div class="container"> <div class="flex flex-wrap items-center justify-between"> <form action="/" method="get" class="searchform mt4 mb4 hide w100"> <div class="flex" gap="1"> <input type="text" name="s" class="input" id="search" value="" placeholder="Search Nordic APIs" autofocus/> <div> <button type="submit" class="btn btn-lg btn-border" id="search-submit">Search</button> </div> </div> </form> </div> </div> </div> <div class="container "> <div id="content" class="clearfix row"> <div id="main" class="col-md-8 clearfix" role="main"> <div class="single-post-header-image single-post-header-image-old"> <img width="1000" height="750" src="https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png" class=" wp-post-image" alt="" decoding="async" fetchpriority="high" srcset="https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png 1000w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-300x225.png 300w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-768x576.png 768w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-213x160.png 213w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-187x140.png 187w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-160x120.png 160w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-107x80.png 107w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-67x50.png 67w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-200x150.png 200w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-400x300.png 400w" sizes="(max-width: 1000px) 100vw, 1000px" /> </div> <article id="post-3441" class="clearfix post-3441 post type-post status-publish format-standard has-post-thumbnail hentry category-blog tag-api-security tag-data tag-identity-control tag-openid-connect" role="article" itemscope itemtype="http://schema.org/BlogPosting"> <header class="article-header"> <div class="titlewrap clearfix"> <h1 class="single-title entry-title"> API Keys ≠ Security: Why API Keys Are Not Enough </h1> <div class="sm-flex flex-center justify-between mb2 lg-mb4 mt3"> <div class="flex flex-center justify-between w100"> <div class="post-authors-wrapper"> <a class="inline-flex flex-center" href="https://nordicapis.com/author/sandovaleffect/"> <div class="inline-flex flex-center"> <div class="author-avatar"> <img width="30" height="30" alt="KristopherSandoval" class="inline-block" src="https://nordicapis.com/wp-content/uploads/kristopher_2-96x96.jpg" /> </div> <p class="m0 ml2">Kristopher Sandoval</p> </div> </a> </div> <time class="inline-block" datetime="" style="display: inline-flex;">October 30, 2015</time> </div> <div class="post-meta-share"> <div class="post-meta-share-button post-meta-share-facebook"> <a href="https://www.facebook.com/sharer.php?u=https%3A%2F%2Fnordicapis.com%2Fwhy-api-keys-are-not-enough%2F"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="#000"> <path d="M22.5 0c.83 0 1.5.67 1.5 1.5v21c0 .83-.67 1.5-1.5 1.5h-6v-9h3l.75-3.75H16.5v-1.5c0-1.5.75-2.25 2.25-2.25h1.5V3.75h-3c-2.76 0-4.5 2.16-4.5 5.25v2.25h-3V15h3v9H1.5A1.5 1.5 0 0 1 0 22.5v-21C0 .67.67 0 1.5 0h21z" /> </svg> </a> </div> <div class="post-meta-share-button post-meta-share-twitter"> <script src="https://platform.x.com/widgets.js" type="text/javascript"></script> <a href="https://x.com/intent/tweet?url=https%3A%2F%2Fnordicapis.com%2Fwhy-api-keys-are-not-enough%2F&text=API+Keys+%E2%89%A0+Security%3A+Why+API+Keys+Are+Not+Enough"> <img src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/library/images/icon-x-black.svg" alt="X Icon" width="40" height="40" style="display: block" /> </a> </div> <div class="post-meta-share-button post-meta-share-linkedin"> <a href="https://www.linkedin.com/shareArticle?url=https%3A%2F%2Fnordicapis.com%2Fwhy-api-keys-are-not-enough%2F&title=API+Keys+%E2%89%A0+Security%3A+Why+API+Keys+Are+Not+Enough"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="#000"> <path d="M22.23 0H1.77C.8 0 0 .77 0 1.72v20.56C0 23.23.8 24 1.77 24h20.46c.98 0 1.77-.77 1.77-1.72V1.72C24 .77 23.2 0 22.23 0zM7.27 20.1H3.65V9.24h3.62V20.1zM5.47 7.76h-.03c-1.22 0-2-.83-2-1.87 0-1.06.8-1.87 2.05-1.87 1.24 0 2 .8 2.02 1.87 0 1.04-.78 1.87-2.05 1.87zM20.34 20.1h-3.63v-5.8c0-1.45-.52-2.45-1.83-2.45-1 0-1.6.67-1.87 1.32-.1.23-.11.55-.11.88v6.05H9.28s.05-9.82 0-10.84h3.63v1.54a3.6 3.6 0 0 1 3.26-1.8c2.39 0 4.18 1.56 4.18 4.89v6.21z" /> </svg> </a> </div> </div> </div> <div class="flex flex-center mt2 mb2" gap="2"> </div> </div> </header> <section class="entry-content single-content clearfix" itemprop="articleBody"> <p><img decoding="async" class="aligncenter size-full wp-image-3744" src="https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png" alt="Why-API-Keys-are-Not-Enough-Nordic-APIs" width="1000" height="750" srcset="https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs.png 1000w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-300x225.png 300w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-768x576.png 768w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-213x160.png 213w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-187x140.png 187w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-160x120.png 160w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-107x80.png 107w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-67x50.png 67w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-200x150.png 200w, https://nordicapis.com/wp-content/uploads/Why-API-Keys-are-Not-Enough-Nordic-APIs-400x300.png 400w" sizes="(max-width: 1000px) 100vw, 1000px" />We’re all accustomed to using <strong>usernames</strong> and <strong>passwords</strong> for hundreds of online accounts — but if not managed correctly, using passwords can become a major distraction, and a potential security vulnerability. The same is true in the API space. There’s nothing inherently wrong with usernames — you need those. But if you use them without also having some sort of credential that allows the service to verify the caller’s identity, you are certainly doing it wrong.</p> <p>Unfortunately, many API providers make a dangerous mistake that exposes a large amount of data and makes an entire ecosystem insecure. In plain English — <strong>if you’re only using API keys, you may be doing it wrong!</strong></p> <h2 id="whatisanapikey">What is an API Key?</h2> <p>An <strong>API Key</strong> is a piece of <strong>code</strong> assigned to a specific program, developer, or user that is used whenever that entity makes a call to an API. This Key is typically a long string of generated characters which follow a set of generation rules specified by the authority that creates them:</p> <pre><code class="(null)">IP84UTvzJKds1Jomx8gIbTXcEEJSUilGqpxCcmnx</code></pre> <p>Upon account creation or app registration, many API providers assign API keys to their developers, allowing them to function in a way similar to an account username and password. API keys are <strong>unique</strong>, and because of this, many providers have opted to use these keys as a type of <strong>security layer</strong>, barring entry and further rights to anyone unable to provide the key for the service being requested.</p> <p>Despite the alluring simplicity and ease of utilizing API Keys in this method, the shifting of security responsibility, lack of granular control, and misunderstanding of purpose and use amongst most developers makes solely relying on API Keys a poor decision. More than just protecting API keys, we need to program <a href="https://curity.io/">robust identity control and access management features</a> to safeguard the entire API platform.</p> <h2 id="shiftingofresponsibility">Shifting of Responsibility</h2> <p>In most common implementations of the API Key process, the security of the system as a whole is entirely dependent on the ability of the <a href="https://nordicapis.com/how-to-understand-your-target-api-consumer/">developer consumer</a> to protect their API keys and maintain security. However, this isn’t always stable. Take Andrew Hoffman’s $2375 Amazon EC2 Mistake that involved a fluke API key push to GitHub. As developers rely on cloud-based development tools, the accidental or malicious public exposure of API keys can be a real concern.</p> <p>From the moment a key is generated, it is passed through the network to the user over a connection with limited encryption and security options. Once the user receives the key, which in many common implementations is provided in plain text, the user must then save the key using a password manager, write it down, or save it to a file on the desktop. Another common method for API Key storage is device storage, which takes the generated key and saves it to the device on which it was requested.</p> <p>When a key is used, the API provider must rely on the developer to encrypt their traffic, secure their network, and uphold their side of the security bargain. There are many vulnerabilities at stake here: applications that contain keys can be <strong>decompiled</strong> to extract keys, or deobfuscated from on-device storage, plaintext files can be <strong>stolen</strong> for unapproved use, and password managers are susceptible to security risks as with any application.</p> <p>Due to its relative simplicity, most common implementations of the API Key method provide a sense of <strong>false security</strong>. Developers embed the keys in <strong>Github</strong> pushes, utilize them in third-party API calls, or even share them between various services, each with their own security caveats. In such a vulnerable situation, security is a huge issue, but it’s one that isn’t really brought up with API Keys because <em>“they’re so simple — and the user will keep them secure!”</em></p> <p>This is a reckless viewpoint. API Keys are only secure when used with <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">SSL</a>, which isn’t even a requirement in the basic implementation of the methodology. Other systems, such as <a href="https://oauth.net/">OAuth 2</a>, Amazon Auth, and more, require the use of SSL for this very reason. Shifting the responsibility from the service provider to the developer consumer is also a negligent decision from a <a href="https://nordicapis.com/7-api-design-lessons-world-tour-roundup/">UX perspective</a>.</p> <div class="well"><div class="responsive-iframe-container"><iframe src="https://www.youtube.com/embed/tj03NRM6SP8" width="560" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div><br /> Watch Travis Spencer give a session on the Nuts and Bolts of API Security</div> <h2 id="lackofgranularcontrol">Lack of Granular Control</h2> <p>Some people forgive the lack of security. After all, it’s on the developer to make sure solutions like SSL are implemented. However, even if you do assure security, your issues don’t stop there — <strong>API Keys by design lack granular control</strong>.</p> <p>Somewhat ironically, before API keys were used with RESTful services, we had WS-Security tokens for SOAP services that let us perform many things with more fine-grained control. While other solutions can be scoped, audienced, controlled, and managed down to the smallest of minutia, API Keys, more often than not, only provide access until revoked. They can’t be specifically controlled dynamically.</p> <p>That’s not to say API Keys lack <em>any</em> control — relatively useful read/write/readwrite control is definitely possible in an API Key application. However, the needs of the average API developer often warrant more full-fledged options.</p> <p>This is not a localized issue either. As more and more devices are <a href="https://nordicapis.com/the-state-of-iot-information-design-why-every-iot-device-needs-an-api/">integrated into the Internet of Things</a>, this control will become more important than ever before, magnifying the choices made in the early stages of development to gargantuan proportions later on in the <a href="https://nordicapis.com/envisioning-the-entire-api-lifecycle/">API Lifecycle</a>.</p> <h2 id="squarepeginaroundhole">Square Peg in a Round Hole</h2> <p>All of this comes down to a single fact: <strong>API Keys were never meant to be used as a security feature</strong>. Most developers utilize API Keys as a method of authentication or authorization, but the API Key was only ever meant to serve as identification.</p> <p>API Keys are best for two things: <strong>identification</strong> and <strong>analytics</strong>. While analytic tracking (and specifically <a href="https://nordicapis.com/success-vs-failure-the-importance-of-api-metrics/">API Metrics</a>) can make or break a system, other solutions implement this feature in a more feature-rich way. Likewise, while API Keys do a great job identifying a user, other alternatives, such as public key encryption, <a href="https://www.pingidentity.com/en/blog/2015/01/20/new_standards_emerging_for_hok_tokens.html">HoK Tokens</a>, etc. do a much better job of it while providing more security.</p> <div class="well"><a href="https://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/">Understand the Differences Between Authorization, Authentication, Federation, and Delegation</a></div> <h2 id="theprosofapikeys">The Pros of API Keys</h2> <p>There are definitely some valid reasons for using API Keys. First and foremost, API Keys are <strong>simple</strong>. The use of a single identifier is simple, and for some use cases, the best solution. For instance, if an API is limited specifically in functionality where “read” is the only possible command, an API Key can be an adequate solution. Without the need to edit, modify, or delete, security is a lower concern.</p> <p>Secondly, API Keys can help reduce the entropy-related issues within an authenticated service. <strong>Entropy</strong> — the amount of energy or potential within a system constantly expended during its use — dictates that there are a limited amount of authentication pairs. If entropy dictates that you can only have 6.5 million unique pairs when limited within a certain character set and style, then you can only have 6.5 million devices, users, or accounts before you run into an issue with naming. Conversely, establishing an API Key with a high number of acceptable variables largely solves this, increasing theoretical entropy to a much higher level.</p> <p>Finally, <strong>autonomy</strong> within an API Key system is extremely high. Because an API Key is independent of a naming server and master credentials, they can be created autonomously. While this comes with the caveat of possible Denial of Service attacks, the autonomy created is wonderful for systems that are designed to harness it.</p> <p>When developing an API, a principle of least privilege should be adhered to — <strong>allow only those who require resources to access those specific resources</strong>. This principle hinges on the concept of CIA in system security — Confidentiality, Integrity, and Availability. If your API does not deal with confidential information (for instance, an API that serves stock exchange tickers), does not serve private or mission-critical information (such as a news/RSS API), or demand constant availability (in other words, can function intermittently), then API Keys may be sufficient.</p> <p>Additionally, API Keys are a good choice for developer-specific API uses. When developers are configuring API clients at operation time, and use changing keys for different services, this is acceptable.</p> <div class="well"><a href="https://nordicapis.com/api-security-equipping-your-api-with-the-right-armor/">On Determining Access: Equip Your API With The Appropriate Armor</a></div> <h2 id="backtoreality">Back to Reality</h2> <p>The benefits of using API Keys outlined above are still tenuous in the general use-case scenario. While API keys are <em>simple</em>, the limitation of “read-only” is hampering rather than liberating. Even though they provide for higher levels of <em>entropy</em>, this solution is not limited to API Keys and is inherent in other authentication/authorization solutions as well. Likewise, <em>autonomy</em> can be put in place through innovative server management and modern delegation systems.</p> <h2 id="conclusion:apikeysarenotacompletesolution">Conclusion: API Keys Are Not a Complete Solution</h2> <p>The huge problems with API Keys come when end users, not developers, start making API calls with these Keys, which more often than not expose your API to security and management risks. What it comes down to is that <strong>API Keys are, by nature, not a complete solution</strong>. While they may be perfectly fine for read-only purposes, they are too weak a solution to match the complexity of a high-use API system. Whenever you start integrating other functionality such as writing, modification, deletion, and more, you necessarily enter <a href="https://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/">the realm of Identification, Authentication, and Authorization</a>.</p> <p>Basic API Key implementation doesn’t support authentication without additional code or services, it doesn’t support authentication without a matching third-party system or secondary application, and it doesn’t support authorization without some serious “hacks” to extend use beyond what they were originally intended for.</p> <p>While an argument could be made for expanding out the API Keys method to better support these solutions, that argument would advocate re-inventing the wheel. There are already so many <a href="https://nordicapis.com/api-security-oauth-openid-connect-depth/">improved solutions available</a> that adding functionality to an API Key system doesn’t make sense. Even if you did add something like authentication, especially federated authentication, to the system using Shibboleth, OpenID, etc., there are a ton of systems out there that already have support for this.</p> <h2 id="moreonapisecurityfromthenordicapisteam:">More on API Security from the Nordic APIs team:</h2> <div id="attachment_3453" style="width: 160px" class="wp-caption alignright"><a href="https://nordicapis.com/ebooks/"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-3453" class="wp-image-3453 size-thumbnail" src="https://nordicapis.com/wp-content/uploads/security_ebook_final-01-150x150.png" alt="security_ebook_final-01" width="150" height="150" srcset="https://nordicapis.com/wp-content/uploads/security_ebook_final-01-150x150.png 150w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-220x220.png 220w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-180x180.png 180w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-60x60.png 60w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-125x125.png 125w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-32x32.png 32w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-50x50.png 50w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-64x64.png 64w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-96x96.png 96w, https://nordicapis.com/wp-content/uploads/security_ebook_final-01-128x128.png 128w" sizes="(max-width: 150px) 100vw, 150px" /></a><p id="caption-attachment-3453" class="wp-caption-text">API Keys ≠ Security. Check out &#8220;Securing the API Stronghold&#8221; for more.</p></div> <p>One of the most important facets of API development is the creation of a <a href="https://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/">complete, effective security solution</a>. Deciding on the techniques and methods used to secure your information is by far the most important step in the API development lifecycle as a single misstep in this area can lead to devastating security holes.</p> <p>We write about API security often — it’s not as dry as it seems! Check out the following articles for more expert advice, or download our comprehensive guide to API security: <a href="https://nordicapis.com/ebooks/">Securing the API Stronghold</a>.</p> <ul> <li><a href="https://nordicapis.com/api-security-oauth-openid-connect-depth/">Deep Dive into OAuth and OpenID Connect</a></li> <li><a href="https://nordicapis.com/how-to-control-user-identity-within-microservices/">How To Control User Identity Within Microservices</a></li> <li><a href="https://nordicapis.com/api-security-equipping-your-api-with-the-right-armor/">Equipping Your API With The Right Armor</a></li> <li><a href="https://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/">The Four Defenses of the API Stronghold</a></li> <li><a href="https://nordicapis.com/3-unique-authorization-applications-of-openid-connect/">3 Unique Authorization Applications of OpenID Connect</a></li> <li><a href="https://help.github.com/articles/remove-sensitive-data/">Instructions on how to purge GitHub files</a></li> </ul> <div class="blog-post-signup-cta mt2 mb2"> <h3>The latest API insights straight to your inbox</h3> <div id="mc_embed_signup"> <form action="https://nordicapis.us3.list-manage.com/subscribe/post?u=c13322bcf7b603807981f2963&amp;id=dd9b6aaf32" method="post" id="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate=""> <div id="mce-responses" class="clear"> <div class="response" id="mce-error-response" style="display:none"></div> <div class="response" id="mce-success-response" style="display:none"></div> </div><input value="1" name="group[11225][1]" type="hidden"><input value="2" name="group[11225][2]" type="hidden"><input value="4" name="group[11225][4]" type="hidden"><input value="8" name="group[11225][8]" type="hidden"> <div style="position: absolute; left: -5000px;"> <input type="text" name="b_c13322bcf7b603807981f2963_dd9b6aaf32" tabindex="-1" value=""> </div> <div class="mc-field-group input-group input-group-lg"> <svg viewBox="0 0 24 24" fill="none" stroke="#ccc" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M5 7.92C5 6.86 5.865 6 6.931 6h10.138C18.135 6 19 6.86 19 7.92v8.16c0 1.06-.865 1.92-1.931 1.92H6.931A1.926 1.926 0 0 1 5 16.08V7.92Z"></path><path d="m6 7 6 5 6-5"></path></svg> <input type="email" value="" name="EMAIL" class="required email form-control" id="mce-EMAIL" placeholder="Subscribe via e-mail"> <span class="input-group-btn"><input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button btn btn-primary"></span> </div> </form> </div> </div> </section> <footer class="article-footer single-footer clearfix"> <p class="tags pull-left"> <span class="tags-title"></span> <a href="https://nordicapis.com/tag/api-security/" rel="tag">API Security</a>, <a href="https://nordicapis.com/tag/data/" rel="tag">APIs and Data</a>, <a href="https://nordicapis.com/tag/identity-control/" rel="tag">Identity Control</a>, <a href="https://nordicapis.com/tag/openid-connect/" rel="tag">OpenID Connect</a> </p> <p class="commentnum pull-right"><a href="https://nordicapis.com/why-api-keys-are-not-enough/#comments"><span class="dsq-postid" data-dsqidentifier="3441 https://nordicapis.com/?p=3441"><i class="fa fa-bubble-comment"></i> 3</span></a> </p> </footer> </article> <div class="post-authors-wrapper"> <!-- Multiple author $co_author->ID --> <div id="author-info" class="mt2"> <div class="author-img"> <div class="post-meta-avatar"> <a href="https://nordicapis.com/author/sandovaleffect/"> <img alt="Kristopher" width="128" height="128" src="https://nordicapis.com/wp-content/uploads/kristopher_2-96x96.jpg" /> <div class="post-meta-avatar-highlight"></div> </a> </div> </div> <div class="author-desc"> <a href="https://nordicapis.com/author/sandovaleffect/"> <h3>Kristopher Sandoval</h3> </a> <p>Kristopher is a web developer and author who writes on security and business. He has been writing articles for Nordic APIs since 2015.</p> <div class="profile-links clearfix"> <ul class="social-links"> <li> <a class="author-icon" target="_blank" href="https://www.linkedin.com/in/krsando/"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="#000"><path d="M22.23 0H1.77C.8 0 0 .77 0 1.72v20.56C0 23.23.8 24 1.77 24h20.46c.98 0 1.77-.77 1.77-1.72V1.72C24 .77 23.2 0 22.23 0zM7.27 20.1H3.65V9.24h3.62V20.1zM5.47 7.76h-.03c-1.22 0-2-.83-2-1.87 0-1.06.8-1.87 2.05-1.87 1.24 0 2 .8 2.02 1.87 0 1.04-.78 1.87-2.05 1.87zM20.34 20.1h-3.63v-5.8c0-1.45-.52-2.45-1.83-2.45-1 0-1.6.67-1.87 1.32-.1.23-.11.55-.11.88v6.05H9.28s.05-9.82 0-10.84h3.63v1.54a3.6 3.6 0 0 1 3.26-1.8c2.39 0 4.18 1.56 4.18 4.89v6.21z"/></svg> </a> </li> </ul> </div> </div> </div> </div> <div id="single-post-nav"> <ul class="pager"> <li class="previous"> <span class="previous-page"><a href="https://nordicapis.com/architecting-an-api-backend/" rel="prev"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M15 18l-6-6 6-6"/></svg>&nbsp;Architecting an API Backend</a></span> </li> <li class="next"> <span class="no-previous-page-link next-page"><a href="https://nordicapis.com/optimizing-apis-for-mobile-apps/" rel="next">&nbsp;Optimizing APIs for Mobile...&nbsp;<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M9 18l6-6-6-6"/></svg></a></span> </li> </ul> </div> <div id="disqus_thread"></div> </div> <div id="sidebar" class="col-md-4"> <h4>Latest Posts</h4> <a href="https://nordicapis.com/the-compression-of-tech-maturity-in-the-age-of-ai/"class="shadowcard p3 block nodecoration mb2"> <h3 class="mt0">The Compression of Tech Maturity in the Age of AI</h3> <div class="flex flex-center justify-between"> <span class="inline-flex"> <div class="flex flex-center"> <div class="author-avatar"> <img width="30" height="30" loading="lazy" alt="Kristopher Sandoval" class="inline-block" src="https://nordicapis.com/wp-content/uploads/kristopher_2-96x96.jpg" /> </div> <div class="ml2"> <small class="m0">Kristopher Sandoval </small> </div> </div> </span> <time class="inline-block" datetime="">November 21, 2024</time> </div> </a> <a href="https://nordicapis.com/understanding-the-root-causes-of-api-drift/"class="shadowcard p3 block nodecoration mb2"> <h3 class="mt0">Understanding The Root Causes of API Drift</h3> <div class="flex flex-center justify-between"> <span class="inline-flex"> <div class="flex flex-center"> <div class="author-avatar"> <img width="30" height="30" loading="lazy" alt="Bill Doerrfeld" class="inline-block" src="https://nordicapis.com/wp-content/uploads/Profile-shot-recent-100x100.jpg" /> </div> <div class="ml2"> <small class="m0">Bill Doerrfeld </small> </div> </div> </span> <time class="inline-block" datetime="">November 20, 2024</time> </div> </a> <a href="https://nordicapis.com/how-to-write-a-v3-asyncapi-description/"class="shadowcard p3 block nodecoration mb2"> <h3 class="mt0">How to Write a v3 AsyncAPI Description</h3> <div class="flex flex-center justify-between"> <span class="inline-flex"> <div class="flex flex-center"> <div class="author-avatar"> <img width="30" height="30" loading="lazy" alt="Chris Wood" class="inline-block" src="https://nordicapis.com/wp-content/uploads/chris_wood-96x96.jpeg" /> </div> <div class="ml2"> <small class="m0">Chris Wood </small> </div> </div> </span> <time class="inline-block" datetime="">November 19, 2024</time> </div> </a> <div id="block-23" class="widget widget_block widget_media_image"> <figure class="wp-block-image size-large"><a href="https://www.youtube.com/playlist?list=PLd2MPdlXKO11Re2n9Bv3gOAno65Um95tm"><img loading="lazy" decoding="async" width="1024" height="602" src="https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-1024x602.png" alt="" class="wp-image-20931" srcset="https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-1024x602.png 1024w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-300x176.png 300w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-768x452.png 768w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-1536x903.png 1536w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-204x120.png 204w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-170x100.png 170w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-119x70.png 119w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-85x50.png 85w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-200x118.png 200w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1-400x235.png 400w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-widget-Youtube-videos-2024_1.png 1925w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> </div><div id="block-22" class="widget widget_block widget_media_image"> <figure class="wp-block-image size-large"><a href="https://nordicapis.com/newsletter/"><img loading="lazy" decoding="async" width="1024" height="602" src="https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-1024x602.png" alt="" class="wp-image-19143" srcset="https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-1024x602.png 1024w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-300x176.png 300w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-768x451.png 768w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-1536x903.png 1536w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-204x120.png 204w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-170x100.png 170w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-119x70.png 119w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-85x50.png 85w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-200x118.png 200w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7-400x235.png 400w, https://nordicapis.com/wp-content/uploads/Nordic-APIs-Newsletter-1_7.png 1926w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> </div><div id="block-19" class="widget widget_block widget_media_image"> <figure class="wp-block-image size-large"><a href="https://curity.io/resources/documents/api-security-ebook/?utm_source=referral&amp;utm_medium=banner&amp;utm_campaign=api_security_ebook"><img loading="lazy" decoding="async" width="1024" height="512" src="https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-1024x512.jpg" alt="" class="wp-image-20687" srcset="https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-1024x512.jpg 1024w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-300x150.jpg 300w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-768x384.jpg 768w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-240x120.jpg 240w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-220x110.jpg 220w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-180x90.jpg 180w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-140x70.jpg 140w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-90x45.jpg 90w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-200x100.jpg 200w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now-400x200.jpg 400w, https://nordicapis.com/wp-content/uploads/API-security-Curity-best-practices-ebook-read-now.jpg 1200w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></figure> </div><div id="block-16" class="widget widget_block widget_media_image"> <figure class="wp-block-image"><a href="https://nordicapis.com/call-speakers/"><img decoding="async" src="https://nordicapis.com/wp-content/uploads/Nordic_API_banner_final_4-1.webp" alt="Call for Speakers"/></a></figure> </div> </div> </div> </div> <div id="signup" class="py2 lg-py3"> <img class="signup-background-image" src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/signup-cover.webp" alt="Smarter Tech Decisions Using APIs" width="1200" height="600" loading="lazy"> <div class="container"> <div class="row"> <div class=""> <h1 class="white center py2 mt4" itemprop="headline">Smarter Tech Decisions Using APIs</h1> <div class="cssgrid-container" columns="1" md-columns="3"> <div> <div class="flex flex-center justify-between flex-column"> <div class="flex-auto p1"> <img src="https://nordicapis.com/wp-content/uploads/icon_blog.svg" loading="lazy" width="116" height="116" alt="API blog"></div> <p class="flex-auto p3 white center"><small>High impact blog posts and eBooks on API business models, and tech advice</small></p> </div> </div> <div> <div class="flex flex-center justify-between flex-column"> <div class="flex-auto p1"> <img src="https://nordicapis.com/wp-content/uploads/icon_conf.svg" loading="lazy" width="116" height="116" alt="API conferences"></div> <p class="flex-auto p3 white center"><small>Connect with market leading platform creators at our events</small></p> </div> </div> <div> <div class="flex flex-center justify-between flex-column"> <div class="flex-auto p1"> <img src="https://nordicapis.com/wp-content/uploads/icon_community.svg" loading="lazy" width="116" height="116" alt="API community"></div> <p class="flex-auto p3 white center"><small> Join a helpful community of API practitioners</small></p> </div> </div> </div> </div> <div class="center mw-60 mx-auto"> <div class="p2 lg-p4"> <h2 class="white"><i class="fa fa-envelope"></i> API Insights Straight to Your Inbox!</h2> <p class="white mb2">Can't make it to the event? Signup to the Nordic APIs newsletter for quality content. High impact blog posts on API business models and tech advice.</p> <div id="mc_embed_shell"> <div id="mc_embed_signup"> <form action="https://nordicapis.us3.list-manage.com/subscribe/post?u=c13322bcf7b603807981f2963&amp;id=dd9b6aaf32&amp;f_id=000010e1f0" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank"> <div id="mc_embed_signup_scroll"><h2>Subscribe</h2> <div class="indicates-required"><span class="asterisk">*</span> indicates required</div> <div class="mc-field-group"><label for="mce-EMAIL">Email Address <span class="asterisk">*</span></label><input type="email" name="EMAIL" class="required email" id="mce-EMAIL" required="" value=""></div><div id="mergeRow-gdpr" class="mergeRow gdpr-mergeRow content__gdprBlock mc-field-group"><div class="content__gdpr"><label>Privacy Policy</label><p>Nordic APIs will use the information you provide on this form to provide updates and news. </p><fieldset class="mc_fieldset gdprRequired mc-field-group" name="interestgroup_field"><label class="checkbox subfield" for="gdpr1"><input type="checkbox" id="gdpr_1" name="gdpr[1]" class="gdpr" value="Y"><span>I accept Nordic APIs Privacy Policy</span></label></fieldset><p>You can change your mind at any time by unsubscribing from any email you receive from us or by contacting us at info@nordicapis.com. We will treat your information with respect. By clicking below, you agree that we process your information per the terms in our Privacy Policy.</p></div><div class="content__gdprLegal"><p>We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. <a href="https://mailchimp.com/legal/terms">Learn more</a> about Mailchimp's privacy practices.</p></div></div> <div id="mce-responses" class="clear"> <div class="response" id="mce-error-response" style="display: none;"></div> <div class="response" id="mce-success-response" style="display: none;"></div> </div><div aria-hidden="true" style="position: absolute; left: -5000px;"><input type="text" name="b_c13322bcf7b603807981f2963_dd9b6aaf32" tabindex="-1" value=""></div><div class="clear"><input type="submit" name="subscribe" id="mc-embedded-subscribe" class="btn btn-primary btn-lg" value="Subscribe"></div> </div> </form> </div> <script type="text/javascript" src="//s3.amazonaws.com/downloads.mailchimp.com/js/mc-validate.js"></script><script type="text/javascript">(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]='EMAIL';ftypes[0]='email';fnames[1]='FNAME';ftypes[1]='text';fnames[2]='LNAME';ftypes[2]='text';fnames[3]='MMERGE3';ftypes[3]='text';fnames[4]='MMERGE4';ftypes[4]='text';fnames[5]='MMERGE5';ftypes[5]='address';fnames[6]='MMERGE6';ftypes[6]='text';fnames[7]='MMERGE7';ftypes[7]='text';}(jQuery));var $mcj = jQuery.noConflict(true);</script></div> </div> </div> </div> </div> </div> <div class="py2 lg-py3"> <div class="container"> <div class="col-md-12"> <div class="center py2 mb3"> <h2>Join Our Thriving Community</h2> <p class="mw-40 mx-auto">Become a part of our global community of API practitioners and enthusiasts. Share your insights on the blog, speak at an event or exhibit at our conferences and create new business relationships with decision makers and top influencers responsible for API solutions.</p> </div> <div class="community-gallery"> <img width="430" height="290" src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/community-image-1.webp" alt="Nordic APIs Community" decoding="async" loading="lazy"> <img width="430" height="290" src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/community-image-2.webp" alt="Nordic APIs Community" decoding="async" loading="lazy"> <img width="430" height="290" src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/community-image-3.webp" alt="Nordic APIs Community" decoding="async" loading="lazy"> <img width="430" height="290" src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/community-image-4.webp" alt="Nordic APIs Community" decoding="async" loading="lazy"> </div> <div class="cssgrid-container mt2 mb2" gap="2" columns="1" lg-columns="3" > <a class="shadowcard shadowcard-hover blocks-item blocks-item-gradient blocks-item-gradient-1" href="https://nordicapis.com/create-with-us/"> <h3 class="m0 flex flex-center">Write</h3> </a> <a class="shadowcard shadowcard-hover blocks-item blocks-item-gradient blocks-item-gradient-2" href="https://nordicapis.com/call-speakers/"> <h3 class="m0 flex flex-center">Speak</h3> </a> <a class="shadowcard shadowcard-hover blocks-item blocks-item-gradient blocks-item-gradient-3" href="https://nordicapis.com/about/contact-us/"> <h3 class="m0 flex flex-center">Sponsor</h3> </a> </div> </div> </div> <footer class="footer" role="contentinfo"> <img class="footer-lines" loading="lazy" src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/library/images/lines.webp" alt="Footer lines" width="400" height="260"> <div class="container clearfix"> <div class="row"> <div class="col-md-2"> <h4>Events</h4> <ul id="footer-nav-events" class=""><li id="menu-item-19072" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-19072"><a href="https://nordicapis.com/events/platform-summit-2024/">Platform Summit 2024</a></li> <li id="menu-item-15237" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15237"><a href="https://nordicapis.com/api-event-calendar/">Events Calendar</a></li> <li id="menu-item-15239" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15239"><a href="https://curity.io/resources/webinars/">Curity Webinars</a></li> </ul> </div> <div class="col-md-2"> <h4>Blog</h4> <ul id="footer-nav-blog" class=""><li id="menu-item-13196" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-13196"><a href="/blog">Blog</a></li> <li id="menu-item-13191" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-13191"><a href="https://nordicapis.com/category/business-models/">Business Models</a></li> <li id="menu-item-13192" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-13192"><a href="https://nordicapis.com/category/marketing/">Marketing</a></li> <li id="menu-item-13193" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-13193"><a href="https://nordicapis.com/category/platforms/">Platforms</a></li> <li id="menu-item-13194" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-13194"><a href="https://nordicapis.com/category/security/">Security</a></li> <li id="menu-item-13195" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-13195"><a href="https://nordicapis.com/category/strategy/">Strategy</a></li> <li id="menu-item-13264" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-13264"><a href="https://nordicapis.com/category/design/">Design</a></li> <li id="menu-item-15238" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-15238"><a href="https://nordicapis.com/category/open-banking/">Open Banking</a></li> </ul> </div> <div class="col-md-2"> <h4>Resources</h4> <ul id="footer-nav-resources" class=""><li id="menu-item-13197" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-13197"><a href="/api-ebooks/">eBooks</a></li> <li id="menu-item-13441" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13441"><a href="https://nordicapis.com/create-with-us/">Blog Submission Guidelines</a></li> <li id="menu-item-13439" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13439"><a href="https://nordicapis.com/call-speakers/">Call for Speakers</a></li> <li id="menu-item-13440" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13440"><a href="https://nordicapis.com/code-of-conduct/">Code of Conduct</a></li> <li id="menu-item-20777" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-20777"><a href="https://nordicapis.com/newsletter/">Newsletter</a></li> </ul> </div> <div class="col-md-2"> <h4>About</h4> <ul id="footer-nav-about" class=""><li id="menu-item-13198" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13198"><a href="https://nordicapis.com/about/">About</a></li> <li id="menu-item-15241" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-15241"><a href="https://nordicapis.com/nordic-apis-for-women/">Nordic APIs for Women</a></li> <li id="menu-item-13201" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13201"><a href="https://nordicapis.com/student-volunteer/">Volunteer</a></li> <li id="menu-item-13979" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13979"><a href="https://nordicapis.com/nordic-apis-privacy-policy/">Privacy Policy</a></li> <li id="menu-item-15240" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-15240"><a href="https://nordicapis.com/about/contact-us/">Contact us</a></li> </ul> </div> <div class="col-md-4 right-align"> <h4>Social</h4> <ul class="footer-social"> <li> <a href="https://x.com/nordicapis" aria-label="X"> <img src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/library/images/icon-x-black.svg" alt="X Icon" width="26" height="26" style="display: block" /> </a> </li> <li> <a href="https://www.linkedin.com/company/nordic-apis" aria-label="LinkedIn"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="#000"> <path d="M22.23 0H1.77C.8 0 0 .77 0 1.72v20.56C0 23.23.8 24 1.77 24h20.46c.98 0 1.77-.77 1.77-1.72V1.72C24 .77 23.2 0 22.23 0zM7.27 20.1H3.65V9.24h3.62V20.1zM5.47 7.76h-.03c-1.22 0-2-.83-2-1.87 0-1.06.8-1.87 2.05-1.87 1.24 0 2 .8 2.02 1.87 0 1.04-.78 1.87-2.05 1.87zM20.34 20.1h-3.63v-5.8c0-1.45-.52-2.45-1.83-2.45-1 0-1.6.67-1.87 1.32-.1.23-.11.55-.11.88v6.05H9.28s.05-9.82 0-10.84h3.63v1.54a3.6 3.6 0 0 1 3.26-1.8c2.39 0 4.18 1.56 4.18 4.89v6.21z" /> </svg> </a> </li> <li> <a href="https://www.facebook.com/NordicAPIs" aria-label="Facebook"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="#000"> <path d="M22.5 0c.83 0 1.5.67 1.5 1.5v21c0 .83-.67 1.5-1.5 1.5h-6v-9h3l.75-3.75H16.5v-1.5c0-1.5.75-2.25 2.25-2.25h1.5V3.75h-3c-2.76 0-4.5 2.16-4.5 5.25v2.25h-3V15h3v9H1.5A1.5 1.5 0 0 1 0 22.5v-21C0 .67.67 0 1.5 0h21z" /> </svg> </a> </li> <li><a href="https://www.youtube.com/user/nordicapis" aria-label="YouTube"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="#000"> <path d="M12.04 3.5c.59 0 7.54.02 9.34.5a3.02 3.02 0 0 1 2.12 2.15C24 8.05 24 12 24 12v.04c0 .43-.03 4.03-.5 5.8A3.02 3.02 0 0 1 21.38 20c-1.76.48-8.45.5-9.3.51h-.17c-.85 0-7.54-.03-9.29-.5A3.02 3.02 0 0 1 .5 17.84c-.42-1.61-.49-4.7-.5-5.6v-.5c.01-.9.08-3.99.5-5.6a3.02 3.02 0 0 1 2.12-2.14c1.8-.49 8.75-.51 9.34-.51zM9.54 8.4v7.18L15.82 12 9.54 8.41z" /> </svg></a></li> <li> <a href="https://www.instagram.com/nordicapis/" aria-label="Instagram"> <svg xmlns="http://www.w3.org/2000/svg" width="53" height="53" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" > <rect width="20" height="20" x="2" y="2" rx="5" ry="5"/><path d="M16 11.37A4 4 0 1 1 12.63 8 4 4 0 0 1 16 11.37z"/><line x1="17.5" x2="17.51" y1="6.5" y2="6.5"/></svg> </a></li> </ul> </div> </div> <div class="col-md-12 center py4 mt4"> &copy; 2013-2024 Nordic APIs AB &nbsp; | &nbsp;Supported by <a href="https://curity.io"><img src="https://nordicapis.wpenginepowered.com/wp-content/themes/nordic2/images/logo_curity.svg" loading="lazy" width="117" height="30" alt="Curity Logotype" class="footerlogo"></a>&nbsp; | &nbsp; <a href="/policies/">Website policies</a> </div> </div> </footer> <script type="text/javascript" id="disqus_count-js-extra"> /* <![CDATA[ */ var countVars = {"disqusShortname":"nordicapis"}; /* ]]> */ </script> <script type="text/javascript" id="disqus_embed-js-extra"> /* <![CDATA[ */ var embedVars = {"disqusConfig":{"integration":"wordpress 3.1.2"},"disqusIdentifier":"3441 https:\/\/nordicapis.com\/?p=3441","disqusShortname":"nordicapis","disqusTitle":"API Keys \u2260 Security: Why API Keys Are Not Enough","disqusUrl":"https:\/\/nordicapis.com\/why-api-keys-are-not-enough\/","postId":"3441"}; /* ]]> */ </script> <script type="text/javascript" id="ppress-frontend-script-js-extra"> /* <![CDATA[ */ var pp_ajax_form = {"ajaxurl":"https:\/\/nordicapis.com\/wp-admin\/admin-ajax.php","confirm_delete":"Are you sure?","deleting_text":"Deleting...","deleting_error":"An error occurred. Please try again.","nonce":"818b587197","disable_ajax_form":"false","is_checkout":"0","is_checkout_tax_enabled":"0","is_checkout_autoscroll_enabled":"true"}; /* ]]> */ </script> <script defer='defer' src="https://code.jquery.com/jquery-3.6.2.min.js" defer="defer" type="text/javascript"></script> <script type="text/javascript" id="geo_stripes_js-js-extra"> /* <![CDATA[ */ var geoParams = {"template_dir":"https:\/\/nordicapis.com\/wp-content\/themes\/nordic2","site_url":"https:\/\/nordicapis.com","ajax_url":"https:\/\/nordicapis.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" defer='defer' src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/highlight.min.js" id="hljs-js"></script> <script defer src="https://nordicapis.com/wp-content/cache/autoptimize/js/autoptimize_903f8e1afc235fdde653e6fce6c9d8de.js"></script></body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10