Published on

How to design a secure web API access for your website?

Authors

When we allow users to access the web API, we need to ensure that each API request is verified. This means we need to confirm that the user is who they say they are.

Image

In this post, we look at two common ways to secure API access:

  1. Token-based authentication

  2. HMAC (Hash-based Message Authentication Code) authentication

The diagram below shows how each method works.

Token-based Authentication

  1. The user enters their password on the client, which sends it to the Authentication Server.

  2. The server verifies the password and creates a token with an expiration time.

  3. The client can now use this token in the HTTP header to make requests to the server.

  4. The token remains valid until it expires, allowing access to the server resources.

HMAC-based Authentication

  1. The server generates two keys: a public key (Public APP ID) and a private key (API Key).

  2. On the client side, a signature (HMAC) is created using these keys and certain attributes listed in the diagram.

  3. The client sends requests to the server with this HMAC signature in the HTTP header.

  4. The server receives the request, extracts the attributes, and generates its own signature (HMAC B) using the stored API Key.

  5. The server compares HMAC A (from the client) and HMAC B (from the server). If they match, the server responds to the request.

Question: How does HMAC ensure data integrity? Why do we include the request timestamp in the HMAC?

Answer: HMAC ensures data integrity by creating a unique signature based on the request data and keys, so if any data is changed, the signature won't match. Including the request timestamp helps prevent replay attacks (old requests being reused), as signatures are only valid for a specific time.

Author

AiUTOMATING PEOPLE, ABN ASIA was founded by people with deep roots in academia, with work experience in the US, Holland, Hungary, Japan, South Korea, Singapore, and Vietnam. ABN Asia is where academia and technology meet opportunity. With our cutting-edge solutions and competent software development services, we're helping businesses level up and take on the global scene. Our commitment: Faster. Better. More reliable. In most cases: Cheaper as well.

Feel free to reach out to us whenever you require IT services, digital consulting, off-the-shelf software solutions, or if you'd like to send us requests for proposals (RFPs). You can contact us at [email protected]. We're ready to assist you with all your technology needs.

ABNAsia.org

© ABN ASIA

AbnAsia.org Software

Discuss on TwitterView on GitHub

Share: