Secure your API with API key and HMAC authentication


This article provide you basic information about API Key and HMAC authentication and how we can implement API Key and HMAC authentication into our Web API

What is HMAC Authentication?

HMAC is message authentication code which is generated using a hash function in combination with shared secret key (API Key) and public Key (APP Id).

A server will first time provide APP Id (shared public key) and API key (shared secret key) to a consumer at the time of registration, Client will generate HMAC using APP Id and API key and then the consumer sends that HMAC to a server in the request header. At the server, side server will regenerate HMAC using same APP Id and API key, once the hash generates server will respond to compare hash sent by the client along with regenerated HMAC, If they match then server consider the request as authenticated and process further.


How to create HMAC and send an authorization header to API server?

Consumer needs to generate string by combining APP ID, HTTP Method, request URI, request timestamp, nonce and base 64 string which contains request payload then client will hash this large string using hashing algorithm (SHA256) using shared secret key (API Key), which will create unique hash signature for the request.

The signature will be sent via Authorization header using custom schema. Following is an example of a custom schema.

[Authorization: xyz APPId:Signature:Nonce:Timestamp]

APPID: Public key which shared with consumer

Signature: Hashed string using hashing algorithm (SHA256)

Nonce: It is arbitrary number or string

Timestamp: Number of seconds since 1st Jan 1970 (UNIX time)

Once the server receives a request from the client, it will regenerate HMAC and compare it with authorization header HMAC, if they are equal then the server will consider this call as an authenticated and process the request.

There are some more benefits of having API Key which is explained below

API key is a unique value which is assigned to API consumer. A consumer will use API key whenever they make an API call. A server will provide shared private secret (API Key), the consumer needs to store the API key securely and never shared it with other parties.

API key is a new way of authorizing users. API key uses secret token which will send with a request to authorize API request call.


API consumer needs to pass API Key in a request and API server will validate API key to allow grant access to resources.

API key restricts access to API methods or all methods to a particular group of people. API key doesn’t use to identify users, it mostly uses for identifying a group of people or company. Most of the company now a day uses API key by selling their API and then tracking who’s using the thing for billing purposes.

API key also uses to filter the log and to find out usage pattern in your API traffic.

You can differentiate API key by public or private. You can share public API key to other to allow them to get limited information about your API whereas private key is about your use only.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s