This document provides background information on API Key Authentication covering what it is, when should it be used, and how it should be used.

 

What is API Key Authentication

 

GrowthZone supports two general forms of Authentication; User and Server.

 

User authentication is the process of a user providing who they claim to be, either by entering credentials or delegating the burden of proof to an external Identity Server.

 

Server authentication is the process of a server, or more specifically an Application, identifying itself in the absence of any physical user involvement.

 

GrowthZone supports Server authentication through the issuing of unique API Keys for each Application that requires authentication. On the outside an API Key is just a string of random characters but it is designed to be large enough and with enough uniqueness that the possibility of guessing it is extremely difficult.

 

When should API Key Authentication be used?

 

An API Key is suitable under the following conditions:

• You have an application that requires access to GrowthZone data.
• Your application's data requirements can be satisfied without the context of an individual user.
• You can store the API key in a secure place.
• Your application can use HTTPS.
• Your application is a server-based application that can communicate over backchannels.

 

An API Key is not suitable when:

• You need to identify as a user as an API Key can only identify the application.
• Your application runs client side where the API Key could be exposed publicly.

 

Security of an API Key

 

Unlike other forms of API access, an API Key doesn't have an expiration and cannot be revoked without deleting the configuration from within GrowthZone.

 

How does API Key Authentication work?

 

The API Key authentication works by using the ApiKey scheme with the Authorization header for each HTTPS request.

 

Host: example.com

Authorization: ApiKey [API KEY]

 

GET /api/contacts/root/claims