MSDN Archive Home
Help and FAQs
All Resource Updates
Change History (all pages)
How to do API Key Verification for WebHTTP (REST) Services in .NET 4
Recently somebody asked me about doing APIKey verification in .NET 4. Previously in .NET 3.5 we provided the REST Starter Kit which included a fair bit of server side code to enable a collection of RequestInterceptor objects that we showed doing API Key verification. This sample will show you how you can be a ServiceAuthorizationManager in WCF to accomplish the same goal.
What is an API Key and Why do I need to verify it?
When you create a RESTFul service on the public web you have to protect yourself from people who might abuse your service. After all, once it is available to the public for use by anonymous users if people start abusing the service by invoking it too much or trying to hack into it you need a way to shut off their access to your service.
I recall a few years ago when I was doing ARCast.TV we started seeing a huge spike in download traffic. We wondered if I had suddenly become very popular, but sadly it turned out to be a buggy add on for Windows Media Center that was repeatedly downloading episodes until it filled up the hard drive, then it would delete them and download again until the users ISP would shut off their connection.
In the world of the web the provider has to pay the bandwidth charges for such bugs so needless to say we weren’t very happy about this. We decided to block that particular program but we couldn’t block it by IP address since there were many customers around the world using it. Fortunately they set the User-Agent string so we could filter out their requests.
But what if they didn’t use the User-Agent string? What if they were a malicious program trying to make my bandwidth charges go so high that I would have no alternative but to shut down the feed? This is where an API Key becomes useful.
Most public Web APIs ask you to sign up for their developer program even if it is free to access their service. Once you sign up, they provide you with an API key that you have to pass whenever you call their service. That way if they detect that your app is buggy or malicious they can simply revoke your API key and you won’t be able to access the service anymore.
For more information
WCF REST Service with API Key Verification Template
How to do API Key Verification for REST Services in .NET 4
Jun 19 2010 at 6:29 PM
, version 5
Sign in to add a comment
WebHTTP API Key Verifi...
Mon Jun 14 2010 at 7:00 AM
More Tags ...
Visual Studio 2005
Visual Studio 2008
Visual Studio 2010
Manage Your Profile
MSDN Flash Newsletter
© 2008 Microsoft Corporation. All rights reserved.