'OAuth (Access Token) Vs API Key
I have came across lots of articles and many suggesting to use OAuth over API Key. From my understanding, in OAuth, we are finally getting access token and it is valid for many days. One example is, QuickBooks online OAuth token is valid for 6 months.
So, access token is equivalent to API Key. Whoever gets it, should have it secure similar like API Keys. And OAuth calls should be made via HTTPS similar to API Key based calls.
Another advantage over OAuth is Authorization. But we can do the same with API Key model. For example, we can define rules in our database like these API keys can access these APIs.
Now, What is the real advantage of OAuth? If we implement OAuth, we have to ask all our clients to install OAuth supporting libraries in their server. And it is a complex task for them and also for us. Whereas in API Key model it is a simple web call with no other additional libraries and complexities.
My intention is just to understand OAuth better and not compare & argue with API Key model.
Note:
I'm not talking about Google & LinkedIn kind of model where users have to see and give permissions. I'm just talking about APIs that we provide to our own customers.
Thanks for your help in advance.
Solution 1:[1]
You need OAuth only when you want to enable a user of your service to allow a third-party client application to access his/her data hosted in your service without revealing his/her credentials (ID & password) to the application.
What a pair of API key & API secret can do is just authentication of a client application. If it is okay for you to allow an authenticated client application to access a user's data without explicit consent by the user, you don't have to use OAuth.
Solution 2:[2]
API keys are for projects/services while token is used to authenticate users. Came across a very good explanation. when and why to use API key
Solution 3:[3]
API keys are for projects/services while token is used to authenticate users. Came across a very good explanation. when and why to use API key
This answer is misleading. The document is not talking about the general concept of "API Key". In this context, "API Key" is just the name of an authentication method defined by Google Cloud. Also project is not the general concept of a project, by project it means specifically a Google Cloud Project
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Takahiko Kawasaki |
| Solution 2 | Matthew Hegarty |
| Solution 3 | Conroid |