This is my first time writing a public facing web api.
My manager is suggesting not to use API key for a Web API I am writing because we are white listing the ip of the client consuming the api and doesn't think we need to bother with API key (ie extra time and complexity)
I am interested in the opinion of others.
I think we do require API key for the following reasons in DESCENDING order of importance.
-
Allow tracking and limiting of requests from client based on API key. Their ip may possibly change from time to time but the api key should not. So future reporting of requests would be easier with api key
-
The whitelisted ip can be spoofed? From the reading I have done I think the fact TLS will be enabled makes this impossible because a handshake between server and client is done so a spoofed ip would cause a failure of this handshake?
-
He doesn't have a clue and I should ignore him on principle :-)
Does the fact that we are relying on whitelisted ips remove the need for seperate Authentication using the API key (the client has access to all of the api so no need for Authorization)?
Aucun commentaire:
Enregistrer un commentaire