What Are API Keys, And Why Are They So Important? | System Design Interview Basics

I texted you in twitter ...

Thank you so much! I'll plan to come back soon, creating more videos!

Good question Asad!
Generating a random string of fixed length and then encoding it with Base64 is one way to generate an API key, but it is not necessarily the best approach.
A better way would be to use a secure random number generator to create a random string of sufficient length and complexity to ensure that it is highly unlikely to be guessed or brute-forced. Length The exact length and complexity of the key will depend on the level of security.
To validate the key you maintain a list of authorized keys on the server-side and check whether the key presented by the client is present in that list. If the key is not present in the list, it is likely that the client is not authorized to access the API and the request should be rejected.

@Big Tech Coach Thank you for the answer. I'll definitely look for your recommendations. I have also looked solutions from other developers and expert, they recommend to append the checksum and prefex for extra validations.

@@asadhussain2598 Absolutely right approach! Evaluate what options are out there and pick the one that seems most suitable for your context. There are no silver bullet in CS as we all have to learn ourselves at one point in our careers.

I agreed. Thanks bro

Glad it was helpful!

Great!

@@big_tech_coach nice tool thanks

is there a payment to get an api?when yes, how much?thanks

This issue could have various reasons.
Now, let's troubleshoot this:
Check the API Key: I'm sure you've already done this, but it never hurts to double-check. Make sure the API key in the "x-api-key" header is correct and in the expected format. Those tiny typos can be sneaky!
API Key Permissions: It's possible that the API key you're using doesn't have the right permissions to access the specific resources or endpoints you're trying to reach. Let's see if we can grant it the power it needs.
API Key Expiry or Revocation: API keys can sometimes have a limited lifespan or get revoked for security reasons. Check if your key is still valid and kicking.
Mind the Endpoint: Ensure that you're sending the API key to the correct endpoint, and using the right HTTP method (GET, POST, etc.) for the request. It's easy to get turned around with those pesky endpoints!
If you've gone through the checklist and still find yourself scratching your head, don't worry!
API hiccups happen to the best of us. Reach out to the API provider's support team, and they'll be more than happy to lend a hand.

@@big_tech_coach Thanks mucho BT!!! I'm armed now !!! In may case ost difficult part is -)

Hi Ayaskant, thanks! The tool is called excalidraw, it's free and here you find the component library I created for it.
bigtechcoach.gumroad.com/l/excalidraw-system-design-symbols
It's free too, but a donation is always welcome ;-)

Awesome to hear!

Thank! The difference between user and app identification always causes confusion. Let's say you run a startup, and you provide the most granular weather data world-wide via API to your paying customers. Somehow you need to make sure only frontends of customers can connect to your REST API that's why you would hand out API keys to your customers to make sure you can tell apart the good from the bad requests.
User identification is a concern when you want to control the access to your API based individual user characteristics. You probably want only employees of your paying customers to be able to access the API, that's when you start to be concerned about the identity of who makes the API calls to your service.

Thanks :-) I just added API key secrets to my backlog!

@@fabianhinsenkamp613

Can you clarify, dangerous in which way?

@@big_tech_coach in any way. For ex. I was making a React weather app, even there the instructor was hiding his api keys. Why should we hide api keys?

@@soner8780 The API key is used to authenticate an client application. If you would get your hands on the key of the instructor of your weather app you could call the API and pretend to be his client application. That becomes an issue especially when the API provider charges per call.

@@big_tech_coach no. It's a free api.

@@soner8780 request limit? Imagine every of his students hits the API with his key, that's probably too many requests.

Thanks!