Overview
This tutorial shows you how to connect to an application-restricted REST APIusing API key authentication and the C# programming language.
To call an application-restricted API, you need to tell the API which application is calling it.
When using API key authentication every request must contain a header which contains a key. This key is called an API key. There is no "standard" name for the header name and you should always refer to the documentation to check the correct name. In our tutorial, we send a request to theHello World APIand the API key header is called apikey.
Setting up your environment
This example project was developed using .NET version 6.0, so you need to have this installed.
Check out the GitHub repository
You can find the code for this C# application-restricted REST API - API key authentication tutorial in ourGitHub repository
This project contains:
To follow this tutorial, download or clone this repository.
Create an application
You need to create an application using our Developer portal.
This gives you access to your application ID and API key. To do this, follow Step 1 'Create an application' ofour guide.
Notes:
- when creating a new app, you need to select the 'Environment'. For this tutorial select 'Sandbox'.
- when editing your application details and selecting the API you want to use, select 'Hello World (Sandbox)'. You might be prompted for a callback URL which is not required for the API key authentication method, so you can enter a dummy value such as https://www.example.com.
- make a note of your API Key
Populate the project's environment variables
You should now haveyour application's API Key.
To run the example tutorial, you need to set the following environment variables.
| Variable name | Description |
| CLIENT_ID | Your application's API Key |
| ENDPOINT | The URL for the API you wish to call. In this tutorial, we make a request to the Hello World Sandbox's application-restricted endpoint:
https://sandbox.api.service.nhs.uk/hello-world/hello/application |
You can set your environment variables in a file named .env. This project contains a sample env file to use:
- rename env.sample to .env and modify it.
- source it by running source .env
Run the code
Once you set the environment variables, you are ready to run the project.
Run the application
You should first source your environment variable file before executing your application.
Assuming you are using dotnetcli tool:
source .env
dotnet run
Run using Makefile
Alternatively you can set your environment variables in a file named .env. Then use the make command: make run. See the README for more info.
When you run the code, you should receive the following response from the Hello World application, showing you succeeded:
{ "message": "Hello Application!"} Create a developer account
Last edited: 24 October 2022 4:37 pm
FAQs
To use an API that requires key-based authentication, the user or application includes the API key as a parameter in the request, typically as a query parameter or in a header. The API provider verifies the key and then allows or denies access to the API based on the user's permissions and the API's usage limits.
How do I pass API authentication? ›
Basic authentication is a simple and fast method of HTTP authentication. To access the API endpoint, the user must send a username and password to the API provider in the authentication header of the request. The API provider checks the credentials and, in the case of success, grants access to the user.
How to call REST API with authentication in C#? ›
Here we go!
- Step 1 : New Project. Open Visual Studio and select New Project. ...
- Step 2: Select the “Web API” Template. Select the “Web API” Template. ...
- Step 3: Click “Change Authentication”
- Step 4: Select Windows Authentication. ...
- Step 5 – Edit the “Index” Method of the “Values” Controller. ...
- Step 6 – Build.
You can pass the API Key to the API in a few ways, such as through the query string or a request header. I will show you how to implement API Key authentication where the API key is passed in a request header. But the implementation would be similar if we were to use any other approach.
How to secure API in C#? ›
Let's discuss below 12 topics for making our APIs more secure:
- Use HTTPS 🔒
- Use OAuth2 🔐
- Use Rate Limiting 🚦
- Use API Versioning 🌀
- Input Validation ✅
- Use Leveled API Keys 🗝️
- Authorization 🔐
- Allowlist ✅
API keys are also way more secure than basic authentication and grant access via a string of text, but they are different from token authentication in one crucial aspect. While token authentication proves who the user is that's accessing the API, it doesn't identify the application making the request.
Which three methods can be used to authenticate to an API? ›
We'll highlight three major methods of adding security to an API — HTTP Basic Auth, API Keys, and OAuth.
What is the most secure API authentication method? ›
OAuth 2.0. OAuth 2.0, or Open Authorization, is the industry standard for online authorization. The protocol is designed to let applications securely access resources hosted by other web apps and control access to their resources — all without revealing credentials.
What is an API key example? ›
An API key is a token that a client provides when making API calls. The key can be sent in the query string: GET /something?api_key=abcdef12345.
How to do authentication in C#? ›
Steps For User Authentication:
- Step 1: START.
- Step 2: Take user details like name, username, and password.
- Step 3: Verify Password with constraint.
- Step 4: If Step 4 is successful then show the message Account Created else repeat Step 2 and Step 3 until Step 3 does not return Successful.
Simply put, authentication is the process of verifying who someone is, whereas authorization is the process of verifying what specific applications, files, and data a user has access to. The situation is like that of an airline that needs to determine which people can come on board.
How to authenticate using API key? ›
Basic Auth and API keys can also be used together. You can pass the API key via Basic Auth as either the username or password. Most implementations pair the API key with a blank value for the unused field (username or password).
How do I Authorize an API in .NET core? ›
Learn how Auth0 works and read about implementing API authentication and authorization using the OAuth 2.0 framework.
- Define permissions.
- Install dependencies.
- Configure the middleware.
- Validate scopes.
- Protect API endpoints.
- Call your API.
4 methods for REST API authentication
- API keys as headers. First, we have API authentication via HTTP headers. ...
- API keys as query parameters. Alternatively, some vendors will ask us to provide authentication details as API parameters. ...
- Basic auth. ...
- Bearer tokens.
You can set up API key validation for an API by attaching a policy of type Verify API Key. The only required setting for a VerifyAPIKey policy is the expected location of the API key in the client request. The API proxy will check the location that you specify, and extract the API key.
How can I authenticate API requests? ›
To authenticate API requests, use basic authentication with your email address and password, your email address and an API token, or an OAuth access token. All methods of authentication set the authorization header differently. Credentials sent in the payload or URL are not processed.
How to call API with API key? ›
How to Make API calls
- Find the URI of the external server or program.
- Add an HTTP verb.
- Include a header.
- Include an API key or access token.
- Wait for the response.
