问题描述
限时送ChatGPT账号..我正在为我公司的数据设计一个公共 API.我们希望应用程序开发人员注册一个 API 密钥,以便我们可以监控使用情况和过度使用情况.
I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.
由于 API 是 REST,我最初的想法是将此键放在自定义标头中.这就是我看到谷歌、亚马逊和雅虎这样做的方式.另一方面,我的老板认为,如果密钥只是 URL 的一部分等,API 会更容易使用."http://api.domain.tld/longapikey1234/resource".我想对此有些话要说,但它违反了 URL 作为您想要的简单地址的原则,而不是您想要它的方式或原因.
Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.
您认为将密钥放在 URL 中是否合乎逻辑?或者,如果为某些数据编写一个简单的 javascript 前端,您是否宁愿不必手动设置 HTTP 标头?
Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?
推荐答案
应该放在 HTTP Authorization 头中.规范在这里 https://www.rfc-editor/rfc/rfc7235
It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor/rfc/rfc7235
这篇关于将 API 密钥放在标题或 URL 中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
更多推荐
[db:关键词]
发布评论