0

I am trying to understand why services (like - but not limited to - Cloudinary) need an Application ID, API Key and an API Secret:

cloudinary.config({ 
  cloud_name: 'sample', // basically an application ID
  api_key: 'XXXX', 
  api_secret: 'XXXX' 
})

My understanding is that

  • Application ID identifies an application
  • API Secret is analogous to a password
  • I have no clue why you need a (public) API Key as well.

Can someone please explain?

Community
  • 1
  • 1
Security Expert
  • 1
  • With properly stored credentials you need 1) an identifier ("username", api_key) and 2) a secret ("password", api_secret). The third thing is likely just a friendly identifier which shows up in logs or admin UIs somewhere, but is not used for anything else. – deceze Feb 21 '17 at 15:02
  • I think that makes total sense becaue each application can have multiple secrets. The `key` just identifies each secret for logging, is that right? – Security Expert Feb 21 '17 at 15:16

1 Answers1

-1

Let's point-out key points :

  1. They are publicly documented & accessible, anyone can access there end-points.
  2. Mostly these services are premium after some usage limit.
  3. There servers have various cost involved in terms of bandwidth,memory,space,etc.
  4. They may be dealing with sensitive/copyright data.

Now, just think of the losses involved if someone tries to do something malicious. It could result in huge loss to either service provider or the service client.

So, services use different methods to restrict/safeguard usage i.e no unauthorised personal is able to access them.

  • unique_end_point_name(Application ID)
  • api_key(API Key)
  • api_secret(API Secret) is one popular way to do this and transfers control to service to customer.

So, customer is only responsible for any cost involved for service.

API Key is shared across the end users, so the customer only approves requests from those sources and then uses his own API secret to use service.

Aditya T
  • 1,566
  • 2
  • 13
  • 26