API Keys

What's an API key?

We’ve seen JWT and OAuth tokens used to authenticate and authorize APIs. They’re great for the security and robustness of the system. However, there are times when they seem too excessive for what we need. At times, a complex password is enough to take us through. Not because the hackers have stopped attacking us, but because the risk doesn’t justify the overheads of other forms of security.

An API key is a complex string we can use to identify a client making the API call. API Gateway expects this key in a request header, x-api-key. Based on this key, the API Gateway can handle authentication and authorization for the request.

API Gateway has a pool of such keys along with the access and quota allocated to each key. It tracks all the invocations using a particular API key and uses this detail to authorize any new invocation.

Create an API key

AWS provides us with a simple API to manage API keys. If we do it with the command line, here's a simple script: