Validating clients aren't using other API Keys

Hey guys,

Currently we have several clients that use our APIs, some are allowed to use more proxies than others. My question is, is there a way for us to validate that the only client using their assigned API key is the one we expect?

Say for example I have two clients. One client A has access to proxies 1, 2, and 3 using API Key X. Client B only has access to proxy 1 using API Key Y. Is there a way for me to check that the traffic coming into proxies 2 and 3 are only from the client A and not client B using API Key X?

I would assume you could track the set of IP addresses coming in from the clients but there are ways of spoofing IP’s so I’m looking for a bit of help on this.

You can perform IP Whitelisting with the AccessControl policy.

The next question you may wish to ask is - can you dynamically set the IP address for that policy?

Not currently, but that enhancement is in the backlog.

(If you need to restrict with dynamic IPs, you could do it with a JavaScript policy)

But I think restricting by IP address is not super useful.

Better to restrict by the API Key. This, coupled with the API Product concept, allows you to perform the checks you desire.

The requirement, of course, is that the API Keys that you distribute, remain secret.

Suppose you have clientA and clientB. And apikeyA and apikeyB, respectively.

Edge will see apikeyA and then conclude that this is a call that originates from clientA.

clientA (the app as configured in Edge) has authorization to call a particular API Product. Let’s call it API ProductA. ProductA includes proxy1 proxy2 and proxy3.

clientB (the app) has authorization to call ProductB. ProductB includes proxy1, only.

therefore an inbound request bearing the key for clientB (apikeyB) will be allowed only in proxy1, and an inbound request bearing apikeyB will not be allowed in proxy2 or proxy3.

If the developer for “client A” somehow obtains the key that has been distributed to “client B”, then client A might use apikeyB, in which case the keys become meaningless, and you cannot rely on them for restricting access. Secrecy of the key is required to maintain the integrity of the system.

Does this help?

I think the best solution is to move beyond the identification step of using API keys and into authentication realm. Client credentials OAuth, or even just basic auth with client_id and secret would give you a bit more certainty.

Good point @Carlos Eberhardt !

@Jordan Greisinger You can use API keys to meter API calls. They are easy to acquire, use and revoke. But they cannot guarantee you authentication. But if you need more than that you either use OAuth or other stronger security schemes to authenticate your clients.