1

I am building my URL to make an API call, using the key and secret that the provider has given me.

https://api.testurl.com/api/test/calldata?key=12345&secret=999999&query=hello

My question is I am appending the 'query' based on user input each time and performing the call with the 'key' and 'secret' every time - to me this doesn't seem that secure. Isn't the secret key exposed each time the call is made?

public async Task<List<APIResult.Data>> ApiAsync()
{
    using (var client = new HttpClient())
    {
    HttpResponseMessage response = await client.GetAsync(_apiUrlToCall);

    if (!response.IsSuccessStatusCode) return null;
        var result = await response.Content.ReadAsStringAsync();
        var rootResult = JsonConvert.DeserializeObject<APIResult.Rootobject>
        (result);
        return rootResult.Data.ToList();
    }
}
Improve this question
0

2 Answers 2

Reset to default
4

Normally you'd pass the identity data (in this case your key and secret) in a HTTP header rather than on the querystring. That way it doesn't get logged anywhere (e.g. IIS logs, browser history, slurped by google, facebook et al trackers).

If you're using HTTPS that should stop it being exposed anywhere else.

But yes since HTTP is stateless you have to send some sort of identifying data every time you make a request, be that a secret key, Kerberos token, session coookie, whatever it is.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You can pass the key & secret as Http header. Normally for rest api the Authorization Http Header is set with the authtoken. You could so something similar.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.