API keys: Weaknesses and security best practices

What is an API key?

An API key is a unique code that identifies and verifies that applications or end users calling an API are authorized to request access to that API -- thus providing a first level of authentication. Depending on the type of API key, it can limit access to only authorized users, identify usage patterns, rate-limit traffic and block or throttle calls made to an API.

API keys are the first step in the authentication process. They identify whether calls submitted to the API are valid, confirming the identities of requestors and ensuring they have the permission to request access. API keys provide limited authentication capabilities, however, and shouldn't be used as the sole authentication method.

API key security weaknesses

It is important to note that API keys have their own set of vulnerabilities, which could be potentially exploited. API key weaknesses include the following:

• API keys are rarely initially encrypted. API keys are often generated and stored in plaintext, making it possible for malicious actors to steal them if no further encryption occurs.
• Secure storage is lacking. Once an end user receives an API key, they must securely store it. This may include using a secrets manager, local device storage or -- worse yet -- writing it down on a Post-it note at their workstation.
• Third party-created API keys aren't secure by default. Organizations can use third-party services to create, issue and distribute API keys. Third parties, however, often do not provide security features, leaving API key protection and encryption to software developers.
• API keys lack granular controls. API keys do not provide granular levels of control. End users who have more detailed access rights and permissions for an API, for example, are not recognized by an API key.

How to secure API keys

Despite their weaknesses, API keys are necessary components in API use. They, therefore, require careful management and security measures. To ensure API key security, adhere to the following best practices:

• Don't store API keys within the code or the application's source tree. To streamline the overall security of a web application, software developers sometimes embed API keys into the code itself. If the API's or application's source code gets posted to a public repository, such as GitHub, the API key is publicly exposed.
• Securely store API keys. Create an environment variable to store API keys in. Storing an API key as an environment variable keeps it from being revealed if the source code gets uploaded to a public repository. Developers can also store API keys in secure files outside the application's source tree or use a secrets management service.
• Rotate API keys. API keys don't change or expire until their owner purposefully deletes them. Constantly rotate API keys to reduce potential vulnerabilities if exposed. Create a security policy that requires changing API keys every 30, 60 or 90 days. Many compliance regulations and frameworks, such as ISO 27001, require regular key rotation.
• Delete unused API keys. Alongside rotating keys, delete unused or unneeded API keys to prevent malicious actors from using them in an attack.