All geek questions in one place

Why is there a key and secret in many web APIs?

Many web REST APIs provide you with a key and a secret. When you make an API request, you must return both of them. What is the use of this? Would not one of them be enough?

  • This is not a public / private key exchange: you give them both, right?

  • You also do not hash your content with a secret and calculate a different value, as in many hashing algorithms: you always give the same key and secret back.

The only thing I can find is to answer How to use the key and secret for verification? , which says that the server can cheaply hash your domain (or maybe your username or something else) with a secret and check if it matches the key. Is it really used?

(The bonus will be the name of this mechanism. It does not seem to match what I can find in stackoverflow / wikipedia on cryptographic mechanisms.)

Update : the answer and a few comments tell me that it is a bad idea to pass both the key and the corresponding private key in the request. This happens in practice, but, nevertheless, this is a bad idea.

+4
source share
1 answer

You would talk about HMAC Authentication
key you mention is similar to your account name, it will not be used directly for any authentication. secret will be shared strictly offline and will never be sent back. In HMAC Authentication, you send back the signature obtained from the set of parameters agreed between the server and the client, and, of course, secret is part of it.

+2
source

Source: https://habr.com/ru/post/1436180/

More articles:


All Articles