Protecting API Keys

Question

Iv'e moved this from SO as it's more of a design question than a code one.

In many applications third party websites/programs can access the website via a key.

For example, a web application hosts applications each of which have a unique API key. These keys are issued to the various developers to ensure they don't make too many requests based on their contract.

However, the 3rd party applications often make requests in the form:

http://www.thewebapplication.com/my.api?key=TheKey&parameter=SomeValue

These can be seen by a myriad of technologies (fiddler, traffic snoopers). Even worse these requests may be placed in Javascript and made available to everyone. How can you design an API system which helps to protect your clients' API keys?

Answer 1

Instead of requiring the actual key, require something that only the key owner can provide, but which doesn't disclose the actual key value.

The usual solution is to expect not the key, but the value of a one-way hash function on the key+something arbitrary. For instance, the developer could generate a nonce value (something that is never sent more than once), combine it with the key, hash the result, and then send the combined hash + the nonce value, but not the key. Your application would then have to check that the hash is correct and that the nonce value wasn't used before (and that the service limit wasn't reached). This allows the client to make as many requests as they want (within their contract), but interceptors can't steal the credentials to spoon services off the contract.