x-api-key for Usage Plans

Question

I am planning to write a custom authorizer which returns in one of it's response, the api-key for usage plans purposes  
  
can our client send the x-api-key in the path parameter?  
e.g.  
https://our.api.amazon.com/api/v1/greetings/****/sayHello  
  
is there any security risk of having it in the path parameter?

Answer

> can our client send the x-api-key in the path parameter?  
  
You do have access to the path parameters in a request authorizer, so yes. You could also have your customers send a completely distinct value from the api key and do a cross reference in an internal data store if you so choose, meaning that your customer would never send the actual key directly.  
  
> is there any security risk of having it in the path parameter?  
  
Only if this is the only form of authentication you are using on your API (which we do not recommend). URLs are logged in most proxy server implementations, meaning that if a customers traffic is going through a proxy of some kind their keys would be exposed to the proxy owner.  
  
Regards,  
Bob

x-api-key for Usage Plans

相關內容