在标题或URL的地方API密钥 [英] Place API key in Headers or URL

问题描述

我设计一个公共的API来我公司的数据。我们希望应用程序开发人员注册一个API密钥，这样我们就可以监控使用和过度使用。

I'm designing a public API to my company's data. We want application developers to sign up for an API key, so we can monitor use and overuse.

由于API是休息，我最初的想法是把这个按键自定义标题。这就是我见过的谷歌，亚马逊和雅虎这样做。我的另一方面老板认为该API是更容易使用，如果该键简单地变成URL的一个部分，等的http：//api.domain.tld/longapikey1234/resource。我想有东西，要这样说，但它有点违背URL作为一个简单的你想要什么地址的原则，而不是如何或为何你想要它。

Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon and Yahoo do it. My boss on the other hand thinks the API is easier to use, if the key simply becomes a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it kinda violates the principle of the URL as a simply address of what you want, and not how or why you want it.

你会发现它的逻辑将在URL中的关键？或者你更愿意没有如果写入一个简单的JavaScript前端一些数据进行手动设置HTTP头？

Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?

推荐答案

应该放在HTTP Authorization头。该规范是在这里 https://tool​​s.ietf.org/html/rfc7235

It should be put in the HTTP Authorization header. The spec is here https://tools.ietf.org/html/rfc7235

这篇关于在标题或URL的地方API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！