[ACCEPTED]-REST GET requests, verbs and apikey-api-key

Accepted answer
Score: 13

In my opinion you should only use the Authorization 9 header. That's what it is there for.

Putting 8 it in the URL is a bad idea because:

a) as 7 you said it pollutes the URL
b) if you 6 decide to go SSL for security then the API 5 will still appear in log files
c) caches 4 will end up creating multiple copies of 3 the same representation, one for each api 2 key.

For more information on creating your 1 own Authorization scheme go here.

Score: 6

Credentials may be passed using the Authorization header:

GET http://domain.com:/book/1
Authorization: apikey="s4cr4t"


Score: 2

It all depends on how far you want to go 44 but the mechanics stays the same:


The goal 43 is to identify the client with some level 42 of security. (Note: Security is another 41 detailed discussion). Remember that one 40 if the “features” of REST is to be stateless: That 39 means no session state on the server except 38 for resources. To keep the client stateless, it 37 needs to supply on each request enough information 36 that the request is independent. It must 35 give the server a way to identify the client 34 such as a username/password, API Key or 33 token.

You have various options to do this 32 so here are some:

Add HTTP headers to identify the client

Here one can use the Authorization 31 header and send it with each request. There 30 are various authentication schemes but stick 29 to the standard ones such as Basic Auth. Here you 28 would probably stick to SSL. The authentication 27 process generates a kind of token if you 26 like.

You can also make use of a cookie. The 25 cookie must contain no information except that it is a 24 “pointer or key” to a stateful session resource 23 on your server (note: session it a resource 22 which is “rest-legal”). You can create this 21 resource by doing a PUT (+info) with response 20 200 OK or POST (+info) with a response of 19 201 Created and Location: /sessions/123334. The 18 session can then be validated by the server 17 such as timeout, valid client ip address, api 16 key etc.

With the method above, you can also 15 define a customer header such as Api-Key: XXXX. But 14 then you limit yourself to special client. Set-Cookie 13 are “well known” headers so browser will 12 handle them kind of transparently. The authentication 11 process can then be done by following links 10 and filling in forms (PUT + POST) to authenticate 9 (create session resource).

Encode an identifier in the content

Here you are free 8 to do what you want too. Just add a field/token/id 7 to your content and let the server verify 6 it.

A RESTful API does application flow by 5 resolving links. See also HATEOAS and Fielding's words. This also 4 applies when you have a separate process 3 of logging in to the application.

Do not 2 encode any data in the URIs. (Out of band 1 information)

More Related questions