Need to share an API key? Lock down the exchange

API keys—the credentials that allow an individual to access an application’s resources—have a way of being left out on the welcome mat if a developer’s not careful.

In June, for example, Motherboard reported that stolen API tokens for OpenAI have been scraped from code-collaboration sites.

As API keys become an enticing target for hackers looking for application data, developers must be careful as they share them, even with trusted partners. Secure trading practices include technologies like secrets-management platforms, as well as a thorough vetting process.

“There are well-known standards now in terms of how APIs are exchanged between trusted partners,” Kris Lahiri, co-founder and CSO of the enterprise file-sharing service Egnyte, told IT Brew. “That needs to be embedded in a process of diligence around how your partners are even verified.”

Key points. A company like Egnyte may need to integrate with a separate service, like Salesforce, Lahiri said. Or perhaps a defense contractor requires a rocket manufacturer’s data. Both situations potentially involve a key exchange.

That means an API key—a long string of characters, basically—may be sent along to provide the access. An attacker with that credential can potentially see all the information provided by the API.

“You’re free to steal anything in the application; you are free to just pummel the application for anything it will tell you and now it’s all yours,” said Michael Hamilton, CISO at the cybersecurity company Critical Insight.

A Q1 2023 report from Salt, a vendor of API-protection services, found that 78% of recorded attacks on customer data registered on the company’s SaaS platform came from seemingly legitimate users who achieve proper authentication.

Some best practices:

• Secrets managers place the key in an encrypted vault and enable policy management around how credentials are issued and automatically revoked. “Even if a company doesn’t identify that they’ve got a bad actor in their environment, they will naturally sunset or revoke their access over a period of time, just by policy and by automation,” said Edward Lewis, director of secure cloud and digital transformation at the consultancy Optiv, adding that in an ideal world separate keys (and key policies) would be made for each environment, like development and production.
• Role-based and resource-based policies and settings, available in some secrets-management platforms, can also allow or deny access to APIs, based on specified source IP addresses or endpoints. “So, by default, any API key doesn’t just automatically get, let’s call it, ‘God-level’ or ‘super-admin level’ authorization,” said Lahiri.
• The Egnyte co-founder also recommended getting a good understanding of why a partner needs the API key and have them explain the workflow, how the API will be used, and what kinds of encryption and other safeguards will protect the data.

It’s best to make sure, after all, that an application doesn’t make everyone feel welcome.