什么是 API 密钥? [英] What is an API key?

问题描述

我现在几乎在每个跨服务应用程序中都能看到这个词.

I see this word in almost every cross service application these days.

API 密钥究竟是什么?它的用途是什么?

另外，API 公钥和私钥有什么区别.

Also, what is the difference between public and private API keys.

推荐答案

API 密钥确切地"用于什么在很大程度上取决于谁发布它以及它用于什么服务.然而，总的来说，API 密钥是某种形式的秘密令牌的名称，该令牌与 Web 服务(或类似)请求一起提交，以识别请求的来源.密钥可能包含在请求内容的某个摘要中，以进一步验证来源并防止篡改值.

What "exactly" an API key is used for depends very much on who issues it, and what services it's being used for. By and large, however, an API key is the name given to some form of secret token which is submitted alongside web service (or similar) requests in order to identify the origin of the request. The key may be included in some digest of the request content to further verify the origin and to prevent tampering with the values.

通常情况下，如果您可以肯定地识别请求的来源，则它充当一种身份验证形式，可以导致访问控制.例如，您可以根据执行请求的人员限制对某些 API 操作的访问.对于通过销售此类服务赚钱的公司来说，这也是一种跟踪谁使用该产品进行计费的方式.此外，通过阻止密钥，您可以在请求量过高的情况下部分防止滥用.

Typically, if you can identify the source of a request positively, it acts as a form of authentication, which can lead to access control. For example, you can restrict access to certain API actions based on who's performing the request. For companies which make money from selling such services, it's also a way of tracking who's using the thing for billing purposes. Further still, by blocking a key, you can partially prevent abuse in the case of too-high request volumes.

一般来说，如果您同时拥有公共和私有 API 密钥，则表明这些密钥本身就是以某种形式使用的传统公共/私有密钥对 非对称加密，或相关的数字签名.这些是更安全的技术，可用于积极识别请求的来源，此外，还可保护请求的内容免遭窥探(除了篡改).

In general, if you have both a public and a private API key, then it suggests that the keys are themselves a traditional public/private key pair used in some form of asymmetric cryptography, or related, digital signing. These are more secure techniques for positively identifying the source of a request, and additionally, for protecting the request's content from snooping (in addition to tampering).

这篇关于什么是 API 密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！