The Airlock Secure Access Hub (SAH) offers a comprehensive set of API protection features. One of them is controlling access to protected APIs using API keys.
The solution involves the Airlock Gateway as policy enforcement point and Airlock IAM to manage and provide information about the clients of the protected APIs.
The solution allows managing Tech-Client (API client) identities with attributes used for access control.
API keys are often hardcoded into client applications. This makes them vulnerable to theft, especially if the client application is distributed over an app store. API keys should only be used for authentication of Tech-Clients if the API key is secured (e.g. Tech-Client is operated in a secured data center environment).
The following sample usage scenarios give an idea of how API keys may be used in API access control.
Tech-Client | Protected API | Sample usage |
|---|---|---|
Fintech webserver | Bank's Account API | The webserver of a fintech company accesses a bank's API to get account information. The API key is securely stored in the code or configuration of the fintech's webserver. The bank can control and report access to the API. |
API client developer | Map service API | An application developer uses an API key to try out an API for a limited amount of time. The map service provider may limit the usage period of the API and impose a rate limit. |
Weather app | Weather forecast API | The company providing the weather forecast wants to make sure that only paying customers are accessing the API. Rate limits may be applied depending on fees. |