API Keys
Some APIs use API keys for authorization. An API key is a special token that the client needs to provide when making API calls. The key is usually sent as a request header:
GET /something HTTP/1.1
X-API-Key: abcdef12345or as a query parameter:
GET /something?api_key=abcdef12345API keys are supposed to be a secret that only the client and server know. But, as well as Basic authentication, API key-based authentication is not considered secure unless used together with other security mechanisms such as HTTPS/SSL.
To define API key-based security:
Add an entry with
type: apiKeyin the globalsecurityDefinitionssection. The entry name can be arbitrary (such as APIKeyHeader in the example below) and is used to refer to this security definition from other parts of the spec.Specify whether the API key will be passed
in: headerorin: query.Specify a
namefor that parameter or header.
securityDefinitions:
# X-API-Key: abcdef12345
APIKeyHeader:
type: apiKey
in: header
name: X-API-Key
# /path?api_key=abcdef12345
APIKeyQueryParam:
type: apiKey
in: query
name: api_keyThen, use the security section on the root level or operation level to apply API keys to the whole API or specific operations.
Note that it is possible to support multiple authorization types in an API. See Using Multiple Authentication Types.
Pair of API Keys
Some APIs use a pair of security keys, say, API Key and App ID. To specify that the keys are used together (as in logical AND), list them in the same array item in the security array:
Note the difference from:
which means either key can be used (as in logical OR). For more examples, see Using Multiple Authentication Types.
401 Response
You can also define the 401 "Unauthorized" response returned for requests with missing or invalid API key. This response includes the WWW-Authenticate header, which you may want to mention. As with other common responses, the 401 response can be defined in the global responses section and referenced from multiple operations.
Last updated